--- title: PingOne Release Notes description: Review release notes for the PingOne Cloud Platform and PingOne Services. component: pingone page_id: pingone:release_notes:index canonical_url: https://docs.pingidentity.com/pingone/release_notes/index.html revdate: August 5, 2025 page_aliases: ["p1_release_notes_main.adoc"] section_ids: 2024: 2024 2025: 2025 2026: 2026 may-2026: May 2026 p1_may2026_release_notes: May 27 password-recovery-notification-template: Password recovery notification template may-26: May 26 configuration-management-and-promotion-early-access: Configuration management and promotion - Early Access may-24: May 24 strong-authentication-mfa-availability-in-the-singapore-geography: Strong authentication (MFA) availability in the Singapore geography may-21: May 21 openldap-and-radiant-logic-directory-type-provisioners: OpenLDAP and Radiant Logic directory type provisioners authorize-gateway-1-2-1: Authorize gateway 1.2.1 security-updates: Security updates structured-errors-for-invalid-decision-requests: Structured errors for invalid decision requests gateway-instance-startup-message: Gateway instance startup message end-of-support-notice: End of support notice may-19: May 19 support-for-the-typ-header-parameter-in-access-tokens: Support for the typ header parameter in access tokens pingone-protect-dashboard-date-range: PingOne Protect dashboard - date range may-18: May 18 bypass-mfa-enabled-until-field-added-to-the-user-devices-report: Bypass MFA Enabled Until field added to the User Devices report custom-sms-and-voice-provider-country-and-national-variables: Custom SMS and Voice provider country and national variables may-17: May 17 pingone-mfa-mobile-sdk-2-3-1-ios-only: PingOne MFA mobile SDK 2.3.1 (iOS only) pingid-device-trust-version-1-1: PingID Device Trust version 1.1 may-13: May 13 box-docusign-and-dropbox-provisioning-connections: Box, Docusign, and Dropbox provisioning connections may-11: May 11 import-and-export-forms-when-copying-and-pasting-davinci-nodes: Import and export forms when copying and pasting DaVinci nodes may-10: May 10 custom-provider-oauth2-scope: Custom provider OAuth2 scope may-7: May 7 password-change-notification-templates: Password change notification templates improved-saml-interoperability-with-external-idps: Improved SAML interoperability with external IdPs may-6: May 6 notification-template-localization-improvements: Notification template localization improvements aadhaar-verification-using-pingone-verify: Aadhaar verification using PingOne Verify may-4: May 4 audit-notification-event-changes: Audit - notification event changes april-2026: April 2026 april-30: April 30 application-request-redirect_uri-parameter-echoed-in-pi-flow-responses: Application request redirect_uri parameter echoed in pi.flow responses cloning-a-provisioning-rule: Cloning a provisioning rule april-28: April 28 updated-ldap-gateway-client-application: Updated LDAP gateway client application provisioning-inbound-group-sync: Provisioning inbound group sync april-27: April 27 forms-mfa-device-selection-supports-new-device-types: Forms MFA Device Selection supports new device types april-26: April 26 pingone-mfa-mobile-sdk-2-3: PingOne MFA mobile SDK 2.3 april-21: April 21 sts-username-flow-user-migration-upon-first-authentication: STS username flow user migration upon first authentication april-19: April 19 define-a-secondary-email-address-for-backup-authentication: Define a secondary email address for backup authentication april-14: April 14 updated-ldap-gateway-client-application-2: Updated LDAP gateway client application april-13: April 13 increased-limit-for-custom-language-key-value-pairs-in-davinci: Increased limit for custom language key-value pairs in DaVinci april-9: April 9 pingone-notifications-syniverse-channels: PingOne notifications - Syniverse channels otp-and-push-notification-status-for-user-devices: OTP and Push notification status for user devices april-7: April 7 application-metadata-properties: Application metadata properties april-2: April 2 updated-ui-for-certificates-and-key-pairs: Updated UI for Certificates and Key Pairs april-1: April 1 verification-code-notification-template-updates: Verification Code notification template updates account-created-notification-template: Account Created notification template march-2026: March 2026 march-31: March 31 introducing-ai-agents-in-pingone: Introducing AI Agents in PingOne pingone-protect-ai-agent-detection: PingOne Protect AI agent detection march-30: March 30 updates-to-api-usage-dashboard: Updates to API Usage Dashboard march-29: March 29 erasing-risk-related-data-for-user: Erasing risk-related data for user mfa-dashboard: MFA dashboard march-26: March 26 authentication-dashboard-early-access-updates: Authentication Dashboard early access updates march-17: March 17 webhooks-protocol-selection: Webhooks protocol selection march-16: March 16 composite-predictors-number-of-items: Composite predictors - number of items march-15: March 15 context-based-risk-policies-for-customer-pingone-mfa-mfa-use-cases: Context-based risk policies for customer (PingOne MFA) MFA use cases march-12: March 12 configurable-attribute-to-locate-users-based-on-username-tokens: Configurable attribute to locate users based on username tokens audit-messages-for-ldap-gateway-user-migration-failures: Audit messages for LDAP gateway user migration failures march-10: March 10 support-for-ciba: Support for CIBA oauth-2-0-token-exchange: OAuth 2.0 token exchange option-to-set-custom-resource-attributes-as-required: Option to set custom resource attributes as required notification-policies-default-deny-list: Notification policies - default deny list march-8: March 8 pingone-mfa-mobile-sdk-2-2-1: PingOne MFA mobile SDK 2.2.1 march-5: March 5 provisioning-dashboard: Provisioning Dashboard february-2026: February 2026 p1_february2026_release_notes: February 27 updated-ldap-gateway-client-application-3: Updated LDAP gateway client application february-25: February 25 anonymous-network-detection-fewer-false-positives: Anonymous network detection - fewer false positives february-24: February 24 new-pingid-desktop-app-1-0-for-a-consistent-passwordless-experience: New PingID desktop app 1.0 for a consistent passwordless experience context-based-risk-policies-for-workforce-pingid-mfa: Context-based risk policies for workforce (PingID) MFA support-for-multiple-mfa-policies: Support for multiple MFA policies disable-the-pingid-mobile-app-as-an-allowed-method: Disable the PingID mobile app as an allowed method configurable-grace-period-for-totp-passcodes: Configurable grace period for TOTP passcodes february-19: February 19 phase-2-custom-domain-infrastructure-changes: "Phase 2: Custom domain infrastructure changes" new-inbound-traffic-policies-ui-for-cloudflare-custom-domains: New Inbound Traffic Policies UI for Cloudflare custom domains pingone-forms-now-support-an-extension-in-the-phone-number-field: PingOne Forms now support an extension in the phone number field february-18: February 18 gateway-version-deprecating-email-alert: Gateway version deprecating email alert new-audit-event-types-for-languages: New audit event types for Languages february-17: February 17 update-for-user-searches: Update for user searches webhooks-enhancements: Webhooks enhancements limit-the-maximum-payload-size-per-webhook: Limit the maximum payload size per webhook february-15: February 15 show-application-name-setting-ignored-for-totp-apps: "'Show application name' setting ignored for TOTP apps" february-4: February 4 key-rotation-policies-for-token-signing: Key rotation policies for token signing february-3: February 3 group-role-assignment-update: Group role assignment update special-characters-in-notification-templates: Special characters in notification templates january-2026: January 2026 p1_january2026_release_notes: January 27 support-for-opaque-refresh-tokens: Support for opaque refresh tokens january-25: January 25 issue-causing-otp-authentications-to-fail-when-using-radius-pcv: Issue causing OTP authentications to fail when using RADIUS PCV specifying-maximum-retention-period-for-risk-data: Specifying maximum retention period for risk data january-21: January 21 pingone-protect-signals-sdk-new-versions: PingOne Protect (Signals) SDK - new versions january-19: January 19 empty-fido2-transport-list-not-handled-correctly: Empty FIDO2 transport list not handled correctly january-15: January 15 theme-improvements-and-additions: Theme improvements and additions january-12: January 12 microsoft-365-application-advanced-settings-for-passive-profile: Microsoft 365 application advanced settings for passive profile ws-trust-version: WS-Trust version assertion-validity-duration: Assertion validity duration increased-limit-for-applications-per-environment: Increased limit for applications per environment configure-minimum-length-for-fido-device-pin-during-user-verification: Configure minimum length for FIDO device PIN during user verification after-migration-to-pingone-authonline-of-authtype-otp-not-working-as-expected: After migration to PingOne authOnline of authType OTP not working as expected january-5: January 5 support-for-8-digit-codes-from-authenticator-apps: Support for 8-digit codes from authenticator apps december-2025: December 2025 december-14: December 14 pingone-mfa-mobile-sdk-2-2: PingOne MFA mobile SDK 2.2 android: Android ios: iOS sample-applications: Sample applications december-7: December 7 custom-mail-from-domains: Custom MAIL FROM domains time-zones-for-fields-in-user-device-reports: Time zones for fields in User Device reports december-3: December 3 ida-in-pingone-verify: IDA in PingOne Verify november-2025: November 2025 november-18: November 18 provisioning-dashboard-2: Provisioning Dashboard november-17: November 17 limiting-number-of-mfa-devices-waiting-for-activation: Limiting number of MFA devices waiting for activation pingone-environment-properties-name-field-defines-the-pingid-mobile-app-organization-name: PingOne Environment Properties Name field defines the PingID mobile app Organization Name pingid-activity-logs-missing-information-from-davinci: PingID activity logs missing information from DaVinci november-11: November 11 provisioning-rules: Provisioning rules november-7: November 7 pingone-forms-now-support-dynamic-agreements: PingOne Forms now support dynamic agreements november-5: November 5 risk-policy-validation: Risk policy validation november-4: November 4 gateway-alerts: Gateway alerts october-2025: October 2025 october-30: October 30 forms-can-only-contain-a-single-agreement-component: Forms can only contain a single Agreement component data-based-identity-verification: Data-Based Identity Verification october-29: October 29 audit-data-retrieval-changes: Audit data retrieval changes querying-recent-data: Querying recent data retrieving-older-data: Retrieving older data querying-older-data: Querying older data october-28: October 28 support-for-microsoft-entra-id-hybrid-join: Support for Microsoft Entra ID hybrid join improved-pingone-davinci-integration: Improved PingOne DaVinci integration october-26: October 26 updates-to-mfa-status-following-migration-of-an-existing-pingid-account-to-an-existing-pingone-environment: Updates to MFA status following migration of an existing PingID account to an existing PingOne environment october-24: October 24 updated-ldap-gateway-client-application-4: Updated LDAP gateway client application october-23: October 23 import-and-export-forms-with-davinci-flows: Import and export forms with DaVinci Flows october-22: October 22 support-added-for-up-to-100-million-identities-per-environment: Support added for up to 100 million identities per environment october-21: October 21 oauth-2-0-authorization-server-metadata: OAuth 2.0 authorization server metadata october-20: October 20 groups-ui-enhancements: Groups UI enhancements october-17: October 17 audit-data-retrieval-changes-deployed-in-singapore-region: Audit data retrieval changes deployed in Singapore region october-7: October 7 option-to-accept-acs-urls-found-in-signed-saml-authnrequests: Option to accept ACS URLs found in signed SAML AuthnRequests october-2: October 2 audit-data-retrieval-changes-coming: Audit data retrieval changes coming september-2025: September 2025 september-30: September 30 domains: Domains updated-ldap-gateway-client-application-5: Updated LDAP gateway client application authorize-gateway-1-2-0: Authorize gateway 1.2.0 bulk-decision-requests: Bulk decision requests end-of-support-notice-2: End of support notice improve-cache-performance-with-header-exclusions: Improve cache performance with header exclusions september-15: September 15 api-usage-dashboard-and-maximum-throughput-assurance: API Usage Dashboard and Maximum Throughput Assurance september-14: September 14 migration-now-completes-successfully-even-if-some-user-accounts-fail-to-migrate: Migration now completes successfully even if some user accounts fail to migrate september-9: September 9 backward-compatibility-for-fallback-to-next-device-for-pingid-accounts: Backward compatibility for fallback to next device for PingID accounts september-5: September 5 bring-your-own-authorization-server: Bring your own authorization server september-2: September 2 require-users-to-perform-mfa-to-manage-myaccount: Require users to perform MFA to manage MyAccount custom-notification-providers-support-for-additional-authorization-methods: Custom notification providers - support for additional authorization methods august-2025: August 2025 august-27: August 27 authorize-gateway-1-1-0: Authorize gateway 1.1.0 more-powerful-policy-authoring: More powerful policy authoring more-granular-control-over-administrator-permissions: More granular control over administrator permissions enhanced-logging: Enhanced logging end-of-support-notice-3: End of support notice august-26: August 26 support-added-for-rfc-7914-password-encoding-format: Support added for RFC 7914 password encoding format august-19: August 19 detection-of-compromised-accounts: Detection of compromised accounts august-18: August 18 evaluate-all-child-authorization-policies-or-rules: Evaluate all child authorization policies or rules august-10: August 10 passcode-grace-period: Passcode grace period july-2025: July 2025 july-31: July 31 simplified-native-mobile-app-configuration-and-integration: Simplified native mobile app configuration and integration july-27: July 27 senders-ui-enhancements: Senders UI enhancements pingone-mfa-mobile-sdk-1-11-1: PingOne MFA mobile SDK 1.11.1 july-23: July 23 conditional-component-visibility-in-pingone-forms: Conditional component visibility in PingOne Forms identifier-first-authentication-enabled-in-administrator-security: Identifier First authentication enabled in Administrator Security july-16: July 16 identity-data-matching: Identity data matching july-15: July 15 support-for-multiple-custom-resources-in-a-single-access-token: Support for multiple custom resources in a single access token july-14: July 14 support-for-multiple-mfa-policies-2: Support for multiple MFA policies use-of-risk-policies-with-an-mfa-only-license: Use of risk policies with an MFA-only license july-9: July 9 provisioning-to-zscaler-using-scim: Provisioning to ZScaler using SCIM july-8: July 8 using-expressions-to-retrieve-microsoft-entra-attributes: Using expressions to retrieve Microsoft Entra attributes july-7: July 7 targeted-risk-policies: Targeted risk policies mitigations-in-risk-policies: Mitigations in risk policies external-applications: External applications pingone-mfa-mobile-sdk-2-1-1: PingOne MFA mobile SDK 2.1.1 android-2: Android ios-2: iOS: july-3: July 3 new-pingone-verify-settings-available-in-themes: New PingOne Verify settings available in themes july-2: July 2 updated-ui-for-branding-and-themes: Updated UI for Branding and Themes july-1: July 1 new-help-desk-admin-role-added: New Help Desk Admin role added june-2025: June 2025 june-30: June 30 new-singapore-domain: New Singapore domain june-25: June 25 oidc-session-management: OIDC session management june-22: June 22 pingone-mfa-mobile-sdk-2-1: PingOne MFA mobile SDK 2.1 june-17: June 17 pingone-notifications-twilio-verify: PingOne Notifications - Twilio Verify june-12: June 12 ability-to-delete-translatable-keys-for-language-management: Ability to delete translatable keys for language management june-4: June 4 signals-pingone-protect-sdk-new-version-for-web: Signals (PingOne Protect) SDK - new version for web multi-factor-authentication-enforced-for-all-access-to-the-admin-console: Multi-factor authentication enforced for all access to the admin console june-3: June 3 virtual-server-ids-for-saml-applications: Virtual server IDs for SAML applications configure-the-one-time-passcode-otp-length-for-workforce-use-cases: Configure the one-time passcode (OTP) length for Workforce use cases may-2025: May 2025 may-28: May 28 sms-notifications-for-users-in-china: SMS notifications for users in China major-update-to-pingone-forms: Major update to PingOne Forms new-form-templates: New form templates new-components: New components improved-components: Improved components new-features: New features other-improvements: Other improvements changes-to-the-form-connectors-show-form-node: Changes to the Form connector's Show Form node may-27: May 27 sign-off-method-for-application-portal-and-self-service-myaccount-app: Sign-off method for application portal and self-service (MyAccount app) saml-2-0-slo-support-with-the-pingone-authentication-connector: SAML 2.0 SLO support with the PingOne Authentication connector may-20: May 20 mfa-with-multiple-authentication-policies: MFA with multiple authentication policies may-16: May 16 verify-users-in-india-with-aadhaar-verification-using-pingone-verify-policies: Verify users in India with Aadhaar verification using PingOne Verify policies may-13-2: May 13 fido-attestation-improvements: FIDO Attestation improvements may-12: May 12 use-of-short-codes-for-pingone-sms-notifications-united-states-and-canada: Use of short codes for PingOne SMS notifications - United States and Canada may-11-2: May 11 oath-token-authentication-for-customer-use-cases: OATH token authentication for customer use cases may-7-2: May 7 administrator-security-enhancements: Administrator Security enhancements may-1: May 1 invite-administrators-to-register-with-pingone: Invite administrators to register with PingOne april-2025: April 2025 april-30-2: April 30 production-environment-deletion-protection: Production environment deletion protection april-29: April 29 support-for-microsoft-entra-id-external-mfa-with-pingone-pingid-and-davinci: Support for Microsoft Entra ID external MFA with PingOne, PingID, and DaVinci april-28-2: April 28 whatsapp-as-an-authentication-method: WhatsApp as an authentication method define-cooldown-period-for-sending-notifications: Define cooldown period for sending notifications april-24: April 24 administrator-roles-ui-enhancements: Administrator Roles UI enhancements skip-account-lock-verification-during-authentication: Skip account lock verification during authentication april-22: April 22 support-for-x5t-header-parameter-in-oidc-applications: Support for x5t header parameter in OIDC applications april-11: April 11 amazon-web-services-integration-kit-1-4-0: Amazon Web Services integration kit 1.4.0 april-10: April 10 improvements-to-pingid-ootb-registration-and-authentication-davinci-flows: Improvements to PingID OOTB Registration and Authentication DaVinci flows april-9-2: April 9 updated-ui-for-external-idps: Updated UI for External IdPs april-2-2: April 2 early-access-opt-in-for-new-features: Early access opt in for new features pingone-mfa-mobile-sdk-2-0: PingOne MFA mobile SDK 2.0 authentication-using-number-matching: Authentication using number matching pairing-mobile-device-in-multiple-regions: Pairing mobile device in multiple regions march-2025: March 2025 march-31-2: March 31 manually-enter-number-for-number-matching: Manually enter number for number matching expanded-management-capabilities-for-migrated-pingid-accounts-in-pingone: Expanded management capabilities for migrated PingID accounts in PingOne march-26-2: March 26 updated-ldap-gateway-client-application-6: Updated LDAP gateway client application march-25: March 25 specify-preferred-language-for-populations: Specify preferred language for populations manage-microsoft-active-directory-user-passwords: Manage Microsoft Active Directory user passwords aaguid-in-api-responses-for-fido2-devices: AAGUID in API responses for FIDO2 devices march-23: March 23 pingone-protect-signals-sdk-new-versions-2: PingOne Protect (Signals) SDK - new versions march-20: March 20 kong-gateway-integration-kit-enhancement: Kong Gateway integration kit enhancement march-19: March 19 configure-authentication-failure-limit-for-fido2-devices: Configure authentication failure limit for FIDO2 devices march-17-2: March 17 custom-domain-infrastructure-changes: Custom domain infrastructure changes action-required: Action required march-10-2: March 10 id-of-authenticating-device-in-id-token: ID of authenticating device in ID token march-4: March 4 pingid-device-trust-predictor-in-risk-policies: PingID device trust predictor in risk policies february-2025: February 2025 february-25-2: February 25 language-used-for-notifications: Language used for notifications push-notifications-removal-of-legacy-google-cloud-messaging-option: Push notifications - removal of legacy Google cloud messaging option apply-a-specific-notification-policy-to-an-mfa-policy: Apply a specific notification policy to an MFA policy february-24-2: February 24 remember-me-option-in-mfa-policies: Remember Me option in MFA policies february-20: February 20 ability-to-limit-custom-role-access-to-overview-page-added: Ability to limit custom role access to Overview page added february-12: February 12 population-theme-updates: Population theme updates using-expressions-to-access-authentication-jwt-for-token-fulfillment: Using expressions to access authentication JWT for token fulfillment february-5: February 5 pingone-notifications-multiple-custom-smsvoice-providers: PingOne Notifications - multiple custom SMS/voice providers february-4-2: February 4 multi-factor-authentication-required-for-access-to-admin-console-updates: Multi-factor authentication required for access to admin console - updates action-required-2: Action Required january-2025: January 2025 january-31: January 31 access-token-enhancements: Access token enhancements role-assignment-event-enhancements: Role assignment event enhancements january-30: January 30 detection-of-replay-attacks: Detection of replay attacks january-29: January 29 updated-defaults-for-new-native-applications: Updated defaults for new native applications format-of-phone-numbers-in-mexico: Format of phone numbers in Mexico january-28: January 28 pingid-as-a-digital-wallet: PingID as a digital wallet terminate-user-sessions-with-only-id-token: Terminate user sessions with only ID token january-21-2: January 21 oidc-based-linkedin-external-identity-provider: OIDC-based LinkedIn external identity provider january-20: January 20 introducing-authorize-gateways: Introducing Authorize gateways january-14: January 14 custom-oauth-parameters-for-http-service-requests: Custom OAuth parameters for HTTP service requests troubleshooting-ldap-authentication: Troubleshooting LDAP authentication improved-application-management-experience: Improved application management experience january-10: January 10 authorization-dashboard-enhancements: Authorization Dashboard enhancements january-9: January 9 step-up-authentication-for-apis: Step-up authentication for APIs define-public-key-credential-hints-in-the-fido-policy: Define Public Key Credential Hints in the FIDO policy radius-gateway-enhancements: RADIUS gateway enhancements radius-gateway-security-enhancement: RADIUS gateway security enhancement radius-gateway-fails-to-forward-requests-to-the-nps-server: RADIUS gateway fails to forward requests to the NPS Server january-6: January 6 pingid-account-in-pingone: PingID account in PingOne early-access-to-manage-pingid-out-of-pingone: Early access to manage PingID out of PingOne bypass-mfa-for-a-specific-user: Bypass MFA for a specific user documentation-improvements: Documentation improvements december-2024: December 2024 december-16: December 16 device-authorization-app-restored-to-pingid-policy: Device Authorization app restored to PingID policy december-10: December 10 population-alternative-identifiers-and-theme: Population alternative identifiers and theme add-custom-attributes-from-workday-into-pingone: Add custom attributes from Workday into PingOne december-9: December 9 define-the-user-presence-timeout-for-fido-devices: Define the user presence timeout for FIDO devices november-2024: November 2024 november-20: November 20 added-active-directory-compatibility-to-the-reset-password-capability: Added Active Directory compatibility to the Reset Password capability november-19: November 19 user-demographic-dashboard: User demographic dashboard november-18-2: November 18 simplified-oidc-application-configuration-and-integration: Simplified OIDC application configuration and integration november-14: November 14 manually-approve-a-users-id: Manually approve a user's ID november-13: November 13 specifying-authentication-policy-for-saml-applications-using-flowpolicyid: Specifying authentication policy for SAML applications using flowPolicyId amazon-api-gateway-integration-kit-retries-for-client-network-errors: Amazon API Gateway integration kit retries for client network errors november-12: November 12 language-localization: Language localization november-11-2: November 11 deletion-of-staging-policies-when-promoting-to-production: Deletion of staging policies when promoting to production november-6: November 6 pingone-protect-signals-sdk-new-versions-3: PingOne Protect (Signals) SDK - new versions november-5-2: November 5 support-for-offline_access-scope-in-oidc-applications: Support for offline_access scope in OIDC applications --- # PingOne Release Notes Review release notes for the PingOne Cloud Platform and PingOne Services. Subscribe to get automatic updates: [icon: rss-square, set=fa][PingOne Release Notes RSS feed](index.xml) | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Beginning March 2, 2027:- PingOne will issue only opaque refresh tokens, and JWTs will be deprecated for refresh tokens. You must update existing OpenID Connect (OIDC)-based applications to use opaque refresh tokens before this date to avoid your users being unable to access resources they need. Learn more in [Support for opaque refresh tokens](#p1_january2026_release_notes) in the January 27, 2026 release note and [Refresh tokens](../applications/p1_refresh_tokens.html). - PingOne will only use signing keys from key rotation policies (KRPs) to sign ID tokens and access tokens, regardless of whether the audience for the access token is PingOne APIs or custom resources. Any OIDC-based applications not using the KRP will automatically update to use the default KRP on this date. Learn more in [Key rotation policy for token signing](#p1_february2026_release_notes) in the February 4, 2026 release note and [Key rotation policies](../settings/p1_key_rotation_policy.html). - PingOne will always include the `typ` header parameter with the `at+jwt` value when minting access tokens whether the intended audience is the `UserInfo` endpoint, PingOne APIs, or custom resources. To avoid service disruptions, enable the **Include the typ parameter in the header of access tokens** setting for each of your applications, verify each application remains functional, and work with your organization's applications and custom resources teams to resolve any issues. Learn more in [Support for the `typ` header parameter in access tokens](#p1_may2026_release_notes) in the May 19, 2026 release note and [Editing an application](../applications/p1_editing_applications.html). | ## 2026 ### May 2026 #### May 27 ##### Password recovery notification template New PingOne PingOne DaVinci We've released a new template for password recovery notifications. You can now use this template to send a recovery code to the user when they need to recover and reset their password. There are two options for this template: **Password Recovery** and **Password Recovery DaVinci**. Learn more in [Notification Templates](../user_experience/p1_notifications.html) and in the [PingOne Connector](https://docs.pingidentity.com/connectors/p1_connector.html) documentation. #### May 26 ##### Configuration management and promotion - Early Access New PingOne New native PingOne configuration promotion capabilities are available for early access. These tools allow you to automate the promotion of configuration resources (such as applications, DaVinci flows, and policies) from one environment to another environment from the PingOne admin console or using the PingOne APIs. For the purposes of early access, this feature is available for sandbox environments only. Learn more in [Configuration management and promotion in PingOne (early access)](../early-access-features/ea-p1_promote.html) and [Configuration Management](https://developer.pingidentity.com/pingone-api-ea/platform/early-access/configuration-management.html) in the PingOne API early access documentation. Learn more about opting in to early access features in [Managing opt-ins for early access features in PingOne](../settings/p1_managing_opt_ins_for_ea_features.html). #### May 24 ##### Strong authentication (MFA) availability in the Singapore geography New Strong Authentication PingOne MFA Strong authentication (MFA) is now available in the Singapore geography. In the Singapore geography, the PingOne MFA service supports both Customer and Workforce use cases. When creating a new environment in this geography, select the PingOne MFA service. The environment type (Customer or Workforce) is automatically determined by the license you select. * Learn more in [Setting up an environment for strong authentication (MFA)](../strong_authentication_mfa/p1_create_environment_strong_authentication_start.html) and [What is the difference between Workforce and Customer environments?](../strong_authentication_mfa/p1_pid_what_is_the_difference.html) | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Build your own option** can't be used to create Workforce environments right now, as it defaults to a Customer environment. This temporary limitation will be resolved in a future release.**Recommended workaround**: Select the **Workforce Solution** tile to create your environment, then add any additional services later. | #### May 21 ##### OpenLDAP and Radiant Logic directory type provisioners New PingOne You can now create LDAP provisioning connections with an OpenLDAP or Radiant Logic directory type. Learn more in [Provisioning OpenLDAP with PingOne](../integrations/p1_provisioning_connection_openldap.html) and [Provisioning Radiant Logic with PingOne](../integrations/p1_provisioning_connection_radiant_logic.html). ##### Authorize gateway 1.2.1 New PingOne PingOne Authorize We've released Authorize gateway version 1.2.1. This version includes: ###### Security updates We've updated underlying runtime components to address potential security vulnerabilities in the HTTP network stack and Docker base image. ###### Structured errors for invalid decision requests Gateway instances now return structured, field-level error responses for invalid `userContext` values in decision requests. Previously, such requests returned a generic error message without identifying the specific field or validation failure. ###### Gateway instance startup message To help manage Authorize gateways across multiple environments, gateway instances now log identifying information on startup for the associated gateway and PingOne environment. Learn more in [Startup logging](../integrations/p1_logging_authz_gateway_instances.html#p1_az_gateway_startup_logging). ###### End of support notice Support for the previous Authorize gateway version (1.2.0) will end on May 31, 2027. Learn more in [Authorize gateway support lifecycle](../integrations/p1_authz_gateway_support_lifecycle.html). #### May 19 ##### Support for the `typ` header parameter in access tokens New PingOne PingOne now supports optionally including the `typ` header parameter with the `at+jwt` value in JWT-based access tokens for the `UserInfo` endpoint, PingOne APIs, and custom resources. This setting identifies the type and purpose of access tokens, providing increased security and preventing misuse. Beginning March 2, 2027, the **Include the typ parameter in the header of access tokens** setting will be discontinued, and PingOne will always include the parameter with the `at+jwt` value when minting access tokens for the `UserInfo` endpoint, PingOne APIs, and custom resources. To avoid service disruptions, you must validate and update your applications and custom resources before this date to handle this parameter always being included in access tokens. Learn more in [Editing an application](../applications/p1_editing_applications.html). ##### PingOne Protect dashboard - date range Info PingOne Protect On the PingOne Protect dashboard entry page and on the drill-down page for each of the individual charts, the 6-month and 1-year options on the time period selector have been replaced with a 3-month option. The date range filter for defining custom periods is also now limited to a maximum of 3 months. #### May 18 ##### Bypass MFA Enabled Until field added to the User Devices report Improved PingOne MFA The User Devices report now includes a **Bypass MFA Enabled Until** field. This allows administrators to quickly identify users with active MFA bypasses and view when their bypass is set to expire. | | | | - | ------------------------------------------------------------------------------------------ | | | The User Devices report only displays user bypasses added after this field was introduced. | Learn more in [User Devices report](../directory/p1_user_device_reports.html). ##### Custom SMS and Voice provider country and national variables New PingOne MFA When configuring custom SMS and Voice providers, you can now use separate variables for the country code and national (significant) number. This gives you more flexibility in how you format phone numbers. Learn more in [Configuring a custom notification provider for PingOne](../settings/p1_sender_configure_custom_provider.html). #### May 17 ##### PingOne MFA mobile SDK 2.3.1 (iOS only) New PingOne MFA We've released version 2.3.1 of the PingOne MFA mobile SDK for iOS. This version includes improved detection of jailbroken iOS devices. Learn more in the documentation for the [iOS version](https://github.com/pingidentity/pingone-mobile-sdk-ios/blob/master/release-notes.md) of the SDK. ##### PingID Device Trust version 1.1 New PingOne PingID We've released PingID Device Trust version 1.1. This version gives you greater control over custom scripts by introducing script execution modes, which define when the custom script runs and how its results are cached. Learn more in [Using the PingID Device Trust agent](../strong_authentication_mfa/p1_using_the_workforce_trust_agent.html). #### May 13 ##### Box, Docusign, and Dropbox provisioning connections New PingOne You can now provision users and groups between your accounts and PingOne using these new connections: * [Box](../integrations/p1_provisioning_connection_box.html) * [Docusign](../integrations/p1_provisioning_connection_docusign.html) * [Dropbox](../integrations/p1_provisioning_connection_dropbox.html) These are powered by the OpenICF framework, which we've integrated into PingOne to help scale our connector catalog and improve performance. #### May 11 ##### Import and export forms when copying and pasting DaVinci nodes New PingOne DaVinci Previously, we made it possible to [import forms when importing a complete flow](#october-23). Now, you can import forms by pasting nodes on the DaVinci canvas. This change will allow Ping Identity to add node groups and actions to the [Ping Identity Marketplace](https://marketplace.pingone.com/browse?products=davinci\&contentType=davinciConnectors) that include premade forms. When you paste any **Show Form** nodes, DaVinci prompts you to choose whether to import the forms to **User Experience > Forms**. Learn more in [Importing and exporting forms](../user_experience/p1_import_export_forms.html). #### May 10 ##### Custom provider OAuth2 scope New PingOne MFA When configuring custom provider OAuth 2.0 authentication, you can now add scope values to the authorization request. Learn more in [Configuring a custom notification provider for PingOne](../settings/p1_sender_configure_custom_provider.html) and [Using a custom email provider for notifications](../settings/p1_using_custom_email_provider_for_notifications.html). #### May 7 ##### Password change notification templates New PingOne DaVinci We've introduced new notification templates to improve visibility into password changes for PingOne accounts using DaVinci. These templates help ensure users are properly informed of password activity on their accounts. * **Password Change (Admin) - DaVinci**: Triggered when an administrator changes or resets a user's password. * **Password Change (End User) - DaVinci**: Triggered when an end user changes or resets their own password. Learn more in [Notification Templates](../user_experience/p1_notifications.html) and in the [PingOne Connector](https://docs.pingidentity.com/connectors/p1_connector.html) documentation. ##### Improved SAML interoperability with external IdPs Info PingOne PingOne SAML metadata exports for external identity providers (IdPs) now correctly order the `AssertionConsumerService` element after `SingleLogoutService`. This improves interoperability and ensures seamless compatibility with a wider range of SAML IdPs. #### May 6 ##### Notification template localization improvements Info PingOne MFA We're improving how PingOne handles notification languages. Currently, if a user's language is different from your environment's default language, notifications sent using a template you've created are sent in the environment's default language. After this change, when you create a new notification template, PingOne will inherit the default template's translated message in the user's language (if available). Review your enabled languages and notification templates before this update because it could change how some existing notifications are sent. ##### Aadhaar verification using PingOne Verify New PingOne Verify You can now use PingOne Verify to perform Aadhaar eID verification with India's DigiLocker wallet. By eliminating physical ID photos, this update provides a more secure and reliable process that improves verification success while reducing manual reviews and errors. Learn more in [PingOne Verify types of verification](../identity_verification_using_pingone_verify/p1_verify_types_of_verification.html) and [Creating a verify policy](../identity_verification_using_pingone_verify/p1_verify_creating_verify_policy.html). #### May 4 ##### Audit - notification event changes Info PingOne MFA In the coming weeks, a new notification event called `NOTIFICATION.FAILED` will be added in order to provide a clear indication for cases where the provider didn't successfully send the notification. This applies to all sender types. Following this change: * The following notification events will be used: * NOTIFICATION.CREATED, with status SENT * NOTIFICATION.CREATED, with status QUEUED * NOTIFICATION.UPDATED, with status depending on factors such as the provider * NOTIFICATION.FAILED, with error message * NOTIFICATION.REJECTED * The existing `NOTIFICATION.REJECTED` event (used for quota issues) was represented inconsistently in the UI, sometimes displayed as Notification Rejected and sometimes displayed as Notification Failed. To prevent any confusion with the new failure event that is being added, the `NOTIFICATION.REJECTED` event will now always be displayed in the UI as Notification Rejected. * Since failed attempts will be detected more accurately than in the past, you might see a higher number of failures when comparing dashboard data with data for periods prior to the change. ### April 2026 #### April 30 ##### Application request `redirect_uri` parameter echoed in `pi.flow` responses Info PingOne When an application includes `response_mode=pi.flow` and `redirect_uri=` in a request to the `/as/authorize` or `/as/resume` endpoint, PingOne now echoes the `redirect_uri` value back in its response. This response occurs after the requested `redirect_uri` is validated against the **Redirect URIs** configured in the application record in PingOne. This enhancement helps response receivers access the `redirect_uri` quickly without needing to look back at the requests. It applies to applications configured with either PingOne authentication policies or PingOne DaVinci flow policies. Learn more in [Applying authentication policies to an application](../applications/p1_apply_auth_policy_to_applications.html). The following sample response results from a request sent to the `/as/authorize` endpoint with `response_mode=pi.flow` and `redirect_uri=https://www.example.com`. > **Collapse: Sample response** > > ```json > { > "_links": { ... }, > "_embedded": { ... }, > "id": "...", > "environment": { > "id": "..." > }, > "session": { > "id": "..." > }, > "resumeUrl": "...", > "status": "COMPLETED", > "createdAt": "...", > "expiresAt": "...", > "authorizeResponse": { > "code": "...", > "redirect_uri": "https://www.example.com" > } > } > ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Because PingOne APIs evolve continuously, PingOne API client developers should maintain forward compatibility in their client applications as PingOne APIs evolve. Refer to [Forward compatibility guidance](https://developer.pingidentity.com/pingone-api/before-you-begin/forward-compatibility.html) in the PingOne API documentation. | ##### Cloning a provisioning rule New PingOne You can now clone an existing provisioning rule to repurpose complex logic for different groups or attributes. Learn more in [Cloning a rule](../integrations/p1_provisioning_cloning_rule.html). #### April 28 ##### Updated LDAP gateway client application New PingOne We've released LDAP gateway client application version 4.2.0. This version improves the reliability of inbound LDAP gateway provisioning syncs by ensuring mid-search failures are reported correctly and every sync reaches a final state. ##### Provisioning inbound group sync New PingOne You can now configure provisioning inbound group syncing for an LDAP gateway when creating a connection and rule. Learn more in [Creating an inbound rule for a connection through an LDAP gateway](../integrations/p1_create_inbound_provisioning_rule_gateway.html) and [Creating an LDAP gateway provisioning connection](../integrations/p1_create_provisioning_connection_gateway.html). #### April 27 ##### Forms **MFA Device Selection** supports new device types New PingOne DaVinci The **MFA Device Selection - Registration** and **MFA Device Selection - Authentication** components in PingOne Forms now support four new MFA device types: * YubiKey * OATH tokens (Hardware tokens) * WhatsApp * PingID desktop app On the DaVinci canvas, forms with these components show a dynamic outcome list when you select a specific MFA policy. Otherwise, the node shows all possible outcomes. Learn more in [MFA components](../user_experience/p1_form_configuration.html#mfa-components). #### April 26 ##### PingOne MFA mobile SDK 2.3 New PingOne MFA We've released version 2.3 of the PingOne MFA mobile SDK. This version contains a number of bug fixes and improvements. Learn more in the documentation for the [Android version](https://github.com/pingidentity/pingone-mobile-sdk-android/blob/master/release-notes.md) and the documentation for the [iOS version](https://github.com/pingidentity/pingone-mobile-sdk-ios/blob/master/release-notes.md). #### April 21 ##### STS username flow user migration upon first authentication Info PingOne When PingOne is set up as the federated identity provider (IdP) for Microsoft Entra, the security token service (STS) username token flow now supports seamless user migration through an LDAP gateway when users first authenticate to Microsoft 365 resources. If PingOne doesn't locate an existing user record: 1. PingOne validates the user's password against Active Directory (AD) using the LDAP gateway and the user type configured in [Adding an LDAP gateway to connect PingOne with AD](../use_cases/p1_microsoft_hybrid_join_tasks.html#p1-add-ldap-gateway). 2. PingOne creates a new user record based on the configured **Password Authority** settings in the user type. #### April 19 ##### Define a secondary email address for backup authentication Improved Strong Authentication PingID We've added support for using a secondary email address as a backup authentication method in PingOne. Administrators can now configure a secondary email to help users access their accounts if their primary authentication method is unavailable. Learn more in [Configuring email authentication](../strong_authentication_mfa/p1_strong_auth_email.html). #### April 14 ##### Updated LDAP gateway client application New PingOne We've released LDAP gateway client application version 4.1.1. This version updates the Docker base image and software dependencies to improve security. #### April 13 ##### Increased limit for custom language key-value pairs in DaVinci Improved PingOne We've increased the limit for the number of custom language key-value pairs that can be added for PingOne DaVinci custom messages from 500 to 2000. Learn more in [Adding a custom key for DaVinci](../user_experience/p1_adding_custom_key_davinci.html). #### April 9 ##### PingOne notifications - Syniverse channels New PingOne If you have defined channels in your Syniverse account, you can now create a [PingOne notification sender that uses channels](../settings/p1_sender_syniverse_channels.html) rather than individual phone numbers. ##### OTP and Push notification status for user devices New PingOne MFA The information displayed for a user's authentication devices now includes the current device status for OTP authentication and the current device status for receiving push notifications. If either of these are currently disabled, the reason is displayed as well. This applies also to use of the PingID app as an authentication method. #### April 7 ##### Application metadata properties New PingOne You can now add custom metadata properties to applications in PingOne for administrative purposes, such as contact information. You can only add metadata properties to applications created by your organization and not the built-in system applications. Learn more in [Editing an application](../applications/p1_editing_applications.html). #### April 2 ##### Updated UI for Certificates and Key Pairs Improved PingOne We've updated the **Certificates and Key Pairs** UI with a new look and feel for a more streamlined experience. Learn more in [Certificates and key pairs](../settings/p1_certs_and_keypairs.html). #### April 1 ##### **Verification Code** notification template updates New PingOne PingOne DaVinci We've released a new notification template for verification codes sent by email to users to verify their accounts. You can now also customize the verification code notification template to use in a DaVinci flow with the PingOne Connector. Learn more in [Notification Templates](../user_experience/p1_notifications.html) and in the [PingOne Connector](https://docs.pingidentity.com/connectors/p1_connector.html) documentation. ##### **Account Created** notification template New PingOne PingOne DaVinci We've released a new notification template for account creation. You can now use this template to send a notification to the user when an account is created using the PingOne Connector in DaVinci. Learn more in [Notification Templates](../user_experience/p1_notifications.html) and in the [PingOne Connector](https://docs.pingidentity.com/connectors/p1_connector.html) documentation. ### March 2026 #### March 31 ##### Introducing AI Agents in PingOne New PingOne AI Agents are now available in PingOne as part of our [Identity for AI solution](https://developer.pingidentity.com/identity-for-ai/). Use AI Agents to: * Treat agents as first-class identities with unique credentials and clear ownership. * Onboard and manage AI systems the same way you manage users and applications today with centralized policies and strong authentication. * Apply least‑privilege access using fine-grained entitlements and tight access controls. * Increase visibility and auditability of agent activity alongside your human users. This helps you safely bring agentic and autonomous AI into production without relying on shared credentials or opaque access paths. Agent Identity is made available as part of our new Identity for AI solution. Contact your account executive to find out more. Learn more in [AI Agents](../ai_agents/p1_ai_agents.html). ##### PingOne Protect AI agent detection Info PingOne Protect Using the bot detection predictor, PingOne Protect can detect agentic artificial intelligence (AI) automation acting on behalf of a user or system. It can also identify a subset of specific agent types in the risk evaluation response. Agent Detection is made available as part of our PingOne Protect solution. Contact your account executive to find out more. Learn more in [Bot detection predictor](../threat_protection_using_pingone_protect/p1_protect_risk_predictors.html#bot-detection). #### March 30 ##### Updates to API Usage Dashboard Improved PingOne We've made the following improvements to the **API Usage Dashboard**: * **Historic Peak HTTP Request Rates** table: Added a new **Base Limit** column so that you can see what the default entitlements are for each rate group. * **Daily Peak HTTP Request Rates** table: When you hover over a date on the chart, the detailed view now includes information about the total number of requests per day and the percentage of requests that were throttled because they exceeded your daily entitlement. Additionally, adjustments have been made to correct inaccurate peak API usage data calculations recorded since January 2026. Learn more in [API Usage Dashboard](../settings/p1_api_usage_dashboard.html). #### March 29 ##### Erasing risk-related data for user New PingOne Protect Using the PingOne API, you can now erase all of the risk-related data that has been collected for a specific user. You can find details in the [Risk Data section](https://developer.pingidentity.com/pingone-api/protect/risk-data.html) of the PingOne API documentation. ##### MFA dashboard Improved PingOne MFA We've enhanced the MFA dashboard with improved chart rendering and interactivity. It now includes new data visualizations and expanded filtering options for MFA usage analysis. #### March 26 ##### Authentication Dashboard early access updates Improved PingOne PingOne SSO DaVinci We've enhanced the PingOne Authentication Dashboard (early access) to include PingOne DaVinci-triggered authentication activity, providing a single, consistent view of sign-on activity from PingOne and DaVinci flows. Learn more in [New Authentication Dashboard (early access)](../early-access-features/ea-p1_auth_dashboard.html). #### March 17 ##### Webhooks protocol selection PingOne Improved Beta We've made an improvement to the webhooks UI. You can now choose between HTTPS or TCP/IP to determine how webhook events are delivered to your destination. HTTP sends events using HTTP POST requests and TCP/IP sends events over a TCP connection. The protocol selection feature providing TCP/IP as an option for users is currently released only for beta testing. #### March 16 ##### Composite predictors - number of items Info PingOne Protect Composite predictors can now contain a maximum of 20 individual items. When the limit is reached, the buttons for adding an item or a group are grayed out. #### March 15 ##### Context-based risk policies for customer (PingOne MFA) MFA use cases New PingOne MFA Administrators with a customer (PingOne MFA) environment can now configure policy-based multi-factor authentication (MFA) from PingOne by creating targeted risk policies for specific authentication flow types. This allows contextual and risk-based evaluation directly within MFA flows, even without a PingOne Protect license. For example, administrators can specify different FIDO2 policies to use based on user group, application, and scenario (such as sign-on from a new device) by applying a different MFA policy in MFA mitigations. With a customer (PingOne MFA) environment, you can leverage a subset of the risk predictors available with a full PingOne Protect license. To access the complete set of risk predictors, a full PingOne Protect license is required. Learn more in [Risk policies for MFA-only licenses](../threat_protection_using_pingone_protect/p1_protect_risk_policies_mfa_only.html). #### March 12 ##### Configurable attribute to locate users based on username tokens New PingOne When PingOne is the federated identity provider (IdP) for Microsoft Entra ID, you can now select the attribute PingOne uses to match user records to the username in the username token from request security token (RST) messages. PingOne automatically matches the Entra ID username (`userPrincipalName` attribute from Active Directory by default) to the email address (`mail` attribute) in PingOne. This new setting allows you to configure the Microsoft 365 application in PingOne to match an alternative or custom attribute to the username token. This ensures PingOne can locate user records when obtaining and renewing primary refresh tokens (PRTs) from Entra ID. Learn more in [Selecting the attribute to identify users from username tokens](../applications/p1_selecting_username_token_attribute.html) and [Configuring PingOne as the federated IdP](../use_cases/p1_microsoft_hybrid_join_tasks.html#p1-update-microsoft-app-user-auth). ##### Audit messages for LDAP gateway user migration failures Improved PingOne We've enhanced audit logging to include user migration failures. Learn more in [Troubleshooting LDAP authentication](../integrations/p1_troubleshooting_ldap_authentication.html). #### March 10 ##### Support for CIBA New PingOne PingOne now supports client-initiated backchannel authentication (CIBA) with the new [CIBA grant type](../applications/p1_grant_types.html). CIBA enables an out-of-band authentication flow initiated by an end user from a consumption device, such as a point-of-sale system, and completed on the user's authentication device. You can download a sample PingOne DaVinci CIBA flow to send email notifications to your end users, allowing them to seamlessly grant or deny authentication requests on their mobile device. Learn more in [Configuring a CIBA flow](../use_cases/p1_configure_ciba_flow.html). ##### OAuth 2.0 token exchange New PingOne PingOne now supports OAuth 2.0 token exchange grant type (RFC 8693), allowing an application to exchange an existing security token it already has for an access token to access downstream resources. OAuth 2.0 token exchange enhances security by allowing you to: * Refine token scope: Restrict the scope or audience of a token before passing it to a backend service. * Enable delegation: Allow applications to act on behalf of a user while maintaining visibility into which application is performing the action. * Improve user experience: Provide seamless access without requiring the user to re-authenticate when accessing multiple resources. To get started, enable the [token exchange grant type](../applications/p1_grant_types.html) in your application configuration. Learn more about the supported use cases in [Configuring OAuth 2.0 token exchange](../use_cases/p1_oauth_2_token_exchange.html). ##### Option to set custom resource attributes as required New PingOne You can now set attributes mapped in PingOne custom resources as required. If it can't find a value for an attribute marked as required, PingOne doesn't issue an access token for the resource and instead issues an error message in the token response. Learn more in [Adding a custom resource](../applications/p1_adding_custom_resource.html) and [Editing a resource](../applications/p1_editresource.html). ##### Notification policies - default deny list New PingOne When [creating a PingOne notification policy](../user_experience/p1_creating_a_notification_policy.html), the **Target Locations** option is now selected by default, and the deny list contains a predefined set of countries. If you want to allow the relevant notification methods in some of these countries, manually remove them from the deny list. #### March 8 ##### PingOne MFA mobile SDK 2.2.1 New PingOne MFA We've released version 2.2.1 of the PingOne MFA mobile SDK. This version contains a number of bug fixes. Learn more in the documentation for the [Android version](https://github.com/pingidentity/pingone-mobile-sdk-android/blob/master/release-notes.md) and the documentation for the [iOS version](https://github.com/pingidentity/pingone-mobile-sdk-ios/blob/master/release-notes.md). #### March 5 ##### Provisioning Dashboard Improved PingOne You can now use the **Circuit Breaker Events** chart to view polling and sync failure for a specific rule and take the necessary action to resolve any failure. Learn more in [Provisioning Dashboard](../integrations/p1_provisioning_dashboard.html). ### February 2026 #### February 27 ##### Updated LDAP gateway client application New PingOne We've released LDAP gateway client application version 4.1.0. This version includes improved provisioning support for Radiant Logic and OpenLDAP directories. #### February 25 ##### Anonymous network detection - fewer false positives Improved PingOne Protect Enhancements have been made to the anonymous network detection predictor to reduce the likelihood of a legitimate IP being identified as an anonymous network risk. #### February 24 ##### New PingID desktop app 1.0 for a consistent passwordless experience New PingID PingID desktop app 1.0 provides users with a consistent passwordless authentication experience across different browsers from a Mac or Windows machine using the machine's device biometrics. This solution replaces the existing PingID desktop app, which has been renamed PingID desktop app (legacy). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The [legacy](../strong_authentication_mfa/p1_pid_desktop_app_v1.html) version will remain available while customers transition their users to the new version and until feature parity is reached. | * Learn more in [(Workforce only) Configuring the PingID desktop application](../strong_authentication_mfa/p1_pid_desktop_app_start.html). * Learn more about the differences between the versions in [PingID desktop app (workforce only)](../strong_authentication_mfa/p1_pid_desktop_app_version_overview.html). ##### Context-based risk policies for workforce (PingID) MFA New PingID Administrators with a workforce (PingID) environment can now configure policy-based multi-factor authentication (MFA) from PingOne by creating targeted risk policies for specific authentication flow types. This allows contextual and risk-based evaluation directly within MFA flows, with significantly greater granularity than was possible in the legacy PingID admin console. For example, administrators can specify different FIDO2 policies to use based on user group, application, and scenario (such as login from an anonymous network) by applying a different MFA policy in MFA mitigations. With workforce (PingID) environments, you can leverage a subset of the risk predictors available with a full PingOne Protect license. To access the complete set of risk predictors, a full PingOne Protect license is required. These new context-based risk policies can replace the legacy MFA authentication policies defined in the PingID admin console when using the PingID [out-of-the-box DaVinci subflows](https://marketplace.pingone.com/item/pingid-authentication-subflow). * Learn more about PingOne Protect policies in [Risk policies](../threat_protection_using_pingone_protect/p1_protect_risk_policies.html). * Learn more about the risk predictors available with an MFA-only license in [Risk policies for MFA-only licenses](../threat_protection_using_pingone_protect/p1_protect_risk_policies_mfa_only.html). ##### Support for multiple MFA policies Improved PingID PingOne now supports the use of multiple MFA policies in workforce (PingID) environments. ##### Disable the PingID mobile app as an allowed method Improved PingID You can now remove the PingID mobile app method from the list of allowed authentication methods in a workforce (PingID) environment by clearing the checkbox in the relevant MFA policy. ##### Configurable grace period for TOTP passcodes New PingOne MFA The grace period for authenticator app (TOTP) passcodes is now configurable. As part of this change, the default grace period has been shortened. Learn more in [Configuring an MFA policy for strong authentication](../strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html). #### February 19 ##### Phase 2: Custom domain infrastructure changes Info PingOne As part of our continued efforts to support best practice security measures and advanced integrations in PingOne, we've begun the transition to using Cloudflare instead of Amazon CloudFront as our custom domain ingress infrastructure. This change is being deployed in a phased approach and affects you only if you use custom domains. Phase 1 started March 17, 2025 with all new custom domains from that date on configured to use Cloudflare. Now, in phase 2, you can migrate PingOne custom domains created before March 17, 2025 to Cloudflare. Learn more in [Migrating a custom domain to Cloudflare](../settings/p1_migrate_custom_domain_to_cloudflare.html). ###### New Inbound Traffic Policies UI for Cloudflare custom domains Building on the migration to Cloudflare, we've also added a new **Inbound Traffic Policies** UI under the **Settings** menu in the PingOne admin console. If you have a custom domain that is currently routing to Cloudflare, you can use the **Inbound Traffic Policies** page to configure custom request headers and accurate IP addresses when requests are proxied to the domain. Learn more in [Inbound traffic policies](../settings/p1_inbound_traffic_policies.html). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If your custom domain was created before March 17, 2025 and hasn't been migrated, you'll need to migrate the domain before configuring and using inbound traffic policies. | In the coming months, we'll be releasing additional custom domain features that will be available only if your domain is configured for Cloudflare. Approximately a year from now, any custom domains that haven't been migrated will be migrated automatically. ##### PingOne Forms now support an extension in the phone number field Improved PingOne DaVinci We've added an **Extension** field to the **Phone Number Input** component in the drag-and-drop form builder. Learn more about customizable form fields in [Form configuration](../user_experience/p1_form_configuration.html#custom-fields). #### February 18 ##### Gateway version deprecating email alert Improved PingOne We've made improvements and added more expiry, recovery, and troubleshooting information to the **Gateway Version Deprecating** email alert. Learn more in [Monitoring gateways](../integrations/p1_gateways.html#monitoring-gateways). ##### New audit event types for Languages New PingOne We've added auditing events for languages and language keys. Events will now be logged when a language or language key is created, updated, or deleted. Learn more about language management in [Languages](../user_experience/p1_languages.html). You can review and report on these events in the [audit](../monitoring/p1_reporting.html) log or create [webhooks](../integrations/p1_webhooks.html) to monitor the events using your security information and event management (SIEM) system. You can also find a complete list of events logged in PingOne in [Audit Reporting Events](https://developer.pingidentity.com/pingone-api/platform/reference/audit-reporting-events.html) in the PingOne API documentation. #### February 17 ##### Update for user searches Improved PingOne We've added support for the `updatedAt` attribute in user searches. This attribute allows you to search for users who were added or updated at a certain time. Learn more in the [PingOne API documentation](https://developer.pingidentity.com/pingone-api/platform/users/users-1/read-all-users.html). ##### Webhooks enhancements PingOne Improved We've updated the **Webhooks** UI to improve the look and feel. Learn more in [Webhooks](../integrations/p1_webhooks.html). ##### Limit the maximum payload size per webhook PingOne Improved You can now limit the amount of data sent in the payload for a webhook by setting a maximum allowable size based on the number of PingOne events included or by size in KB. This setting helps you ensure that your security information and event management (SIEM) tools don't reject the payload because of limits set on the receiving system. Learn more in [Creating or editing a webhook](../integrations/p1_create_webhook.html). #### February 15 ##### 'Show application name' setting ignored for TOTP apps PingID TRIAGE-31838 Fixed We've fixed an issue in workforce PingID where the **Show Application name** text defined in the MFA policy for **Authenticator App (TOTP)** wasn't displaying. #### February 4 ##### Key rotation policies for token signing New PingOne PingOne can now use key rotation policies (KRPs) for token signing for OIDC-based applications, regardless of whether the application includes PingOne API scopes in its authorization requests. You can also now update worker applications to use the default KRP for token signing. Beginning March 2, 2027, PingOne will only use signing keys from KRPs to sign ID tokens and access tokens, regardless of whether the audience for the access token is PingOne APIs or custom resources. Any OIDC-based applications not using the KRP will automatically update to use the default KRP on this date. Learn more in [Key rotation policies](../settings/p1_key_rotation_policy.html) and [Editing an application - Worker](../applications/p1_edit_application_worker.html). #### February 3 ##### Group role assignment update Improved PingOne Administrators can now assign a role to a group they're a member of if that role is directly assigned to them. Learn more in [Managing group roles](../getting_started_with_pingone/p1_manage_admin_roles.html#managing-group-roles). ##### Special characters in notification templates New PingOne To prevent problems related to special character encoding when passing PingOne variables to custom email/SMS/voice providers, you can now specify the format that's passed to the provider API (for example, HTML or JSON). You can find detailed information in [Using a custom email provider for notifications](../settings/p1_using_custom_email_provider_for_notifications.html) and [Configuring a custom notification provider for PingOne](../settings/p1_sender_configure_custom_provider.html). ### January 2026 #### January 27 ##### Support for opaque refresh tokens New PingOne As part of our ongoing commitment to security, PingOne now supports issuing opaque refresh tokens for OIDC-based applications. You can currently choose JSON Web Token (JWT) or opaque refresh token on the **Configuration** tab. Learn more in [Editing an application](../applications/p1_editing_applications.html). Beginning March 2, 2027, PingOne will issue only opaque refresh tokens, and JWTs will be deprecated for refresh tokens. You must update existing applications to use opaque refresh tokens by March 1, 2027 to avoid your users being unable to access resources they need. Learn more in [Refresh tokens](../applications/p1_refresh_tokens.html). #### January 25 ##### Issue causing OTP authentications to fail when using RADIUS PCV Fixed TRIAGE-31681 PingOne We've fixed an issue that was causing RADIUS PCV authentications to fail if the user was using a one-time passcode (OTP) to authenticate with a secondary device. This issue only occurred when RADIUS PCV was in no-challenge mode and only affected PingID accounts that were migrated to PingOne. ##### Specifying maximum retention period for risk data New PingOne Protect You can now specify maximum retention periods for the risk data that's used by the following risk predictors: * New Device * User Location Anomaly * User Based Risk Behavior Learn more in [Protect settings](../threat_protection_using_pingone_protect/p1_protect_general_protect_settings.html). #### January 21 ##### PingOne Protect (Signals) SDK - new versions New PingOne Protect SDK We've released new versions of the PingOne Protect (Signals) SDK: * iOS: 5.4.0 * Android: 5.3.0 * Web: 5.6.7 You can find details in the [SDK Changelog](https://developer.pingidentity.com/pingone-api/native-sdks/pingone-risk-sdks/protect_sdk_changelog.html). #### January 19 ##### Empty FIDO2 transport list not handled correctly PingID TRIAGE-31834 Fixed Fixed an issue that was considering a FIDO2 device incompatible with all communication methods (such as USB, NFC) if its transport list was not populated. Now a FIDO2 device with an empty transport list is considered compatible with all communication methods. This issue affected PingID accounts that migrated to PingOne environments and use Windows login. #### January 15 ##### Theme improvements and additions Improved PingOne Several improvements have been made to themes to enable more comprehensive customization for your end-user pages: * Footers have been moved to the bottom of the page, instead of the bottom of the card. * The editor for the global **Footer** setting has been redesigned for both HTML and plain text options and now includes support for localization. These changes also apply to a new component-specific **Header** setting for PingOne DaVinci forms. * A group of component-specific settings were added for DaVinci forms. * Options were added to allow you to clone themes or to upgrade legacy themes to enable the new settings. Learn more in [Branding and Themes](../user_experience/p1_branding_themes.html). #### January 12 ##### Microsoft 365 application advanced settings for passive profile New PingOne ###### WS-Trust version PingOne now supports the ability to select the WS-Trust version to use when issuing security tokens for the Microsoft 365 application. The WS-Trust version only applies to passive profile sign-ons. Learn more in [Setting the WS-Trust version](../applications/p1_setting_ws-trust_version.html). ###### Assertion validity duration You can now set the assertion validity duration before the SAML assertion expires for passive profile sign-ons to the Microsoft 365 application in PingOne. Learn more in [Fine-tuning assertion validity duration](../applications/p1_fine-tuning_assertion_validity_duration.html). ##### Increased limit for applications per environment Improved PingOne Each PingOne environment now supports up to 4000 applications. Learn more in [PingOne standard platform limits](../getting_started_with_pingone/p1_platform_limits.html). ##### Configure minimum length for FIDO device PIN during user verification Improved PingOne MFA PingID FIDO policy can now define a minimum PIN length for user verification with a security key and check compliance during registration and authentication flows. This feature brings compliance with the CTAP2.1 standard's `minPinLength` extension. Users must use a security key that supports the `minPinLength` extension and define a PIN that conforms to the **Minimum PIN length** field defined in the FIDO policy to pass user verification. Learn more in [Adding a FIDO policy](../authentication/p1_creating_a_fido_policy.html). ##### After migration to PingOne authOnline of authType OTP not working as expected Fixed TRIAGE-29909 PingID Fixed an issue affecting PingID accounts that were migrated to a PingOne environment, where `authOnline` API requests with `authType` `OTP` were not actioned, causing a push notification to be sent instead. #### January 5 ##### Support for 8-digit codes from authenticator apps Improved PingOne MFA When using authenticator apps for authentication, PingOne can now accept passcodes that are up to 8 digits long. ## 2025 ### December 2025 #### December 14 ##### PingOne MFA mobile SDK 2.2 New PingOne MFA We've released version 2.2 of the PingOne MFA mobile SDK. In addition to security enhancements and minor bug fixes, this version includes the following changes. ###### Android The Android version of the SDK is now targeted for Android 16. ###### iOS Fixed TRIAGE-28957 For iOS applications using TOTP, there were situations where the passcode refresh duration was changed, but the timer continued to use the default 30-second setting. This issue has been fixed. Fixed TRIAGE-30389 For iOS applications using TOTP, there were situations where authentication failed if the passcode refresh duration had been changed from the default 30-second setting. This issue has been fixed. ###### Sample applications The sample applications for both iOS and Android now include code that demonstrates the use of automatic passkey creation. Learn more in the documentation for the [Android version](https://github.com/pingidentity/pingone-mobile-sdk-android/blob/master/release-notes.md) and the documentation for the [iOS version](https://github.com/pingidentity/pingone-mobile-sdk-ios/blob/master/release-notes.md). #### December 7 ##### Custom MAIL FROM domains New PingOne MFA To reduce the likelihood of PingOne email notifications getting flagged as spam when you are using Ping Identity as the notification sender, you can now define a custom MAIL FROM domain for trusted email domains that you have configured. Specifying a MAIL FROM domain results in SPF alignment with the FROM header, reducing the chances that the DMARC check will fail. You can find detailed instructions in [Setting up SPF and a custom MAIL FROM domain](../settings/p1_set_up_trusted_email_domain.html#p1-define-mail-from-subdomain). ##### Time zones for fields in User Device reports Fixed TRIAGE-30153 PingOne MFA In User Device reports there were some fields where the time was not expressed in UTC. This issue has been fixed. #### December 3 ##### IDA in PingOne Verify New PingOne Verify We've added the ability to **Store Verified Claims** in a verify policy. This enables you to store verified personally identifiable information (PII) within the PingOne Directory. Learn more in [Creating a verify policy](../identity_verification_using_pingone_verify/p1_verify_creating_verify_policy.html), [Viewing users](../directory/p1_viewusers.html), and [Editing a user](../directory/p1_edituser.html). ### November 2025 #### November 18 ##### Provisioning Dashboard New PingOne The **Provisioning Dashboard** shows a summary of outbound and inbound provisioning activity for the selected environment. Learn more in [Provisioning Dashboard](../integrations/p1_provisioning_dashboard.html). #### November 17 ##### Limiting number of MFA devices waiting for activation Improved PingOneMFA We've made the following changes to help limit the number of MFA devices that have never been activated: * Devices that have been in `ACTIVATION_REQUIRED` status for 24 hours are deleted from the system. * There can be a maximum of 50 devices per user in `ACTIVATION_REQUIRED` status. After this limit is reached, attempts to create a new device result in an error message. ##### PingOne Environment Properties Name field defines the PingID mobile app Organization Name Improved Strong Authentication PingID The PingOne Environment Properties **Name** field now defines the name that represents your organization in the PingID mobile app and PingID push notifications. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When creating a new PingID account in a PingOne environment, the PingID mobile app UI automatically displays both the organization name and environment name. To display only the PingOne Environment Name in the app and push notifications, after creating the environment go to PingOne Environment Properties and edit the **Name** field. | ##### PingID activity logs missing information from DaVinci Fixed TRIAGE-29876 Strong Authentication PingID We've fixed an issue that was preventing the PingID Activity Log from displaying information related to the DaVinci **PingID Evaluate Policy** node. #### November 11 ##### Provisioning rules Improved PingOne We've enhanced the provisioning rules UI. You can now configure both inbound and outbound provisioning rules faster and more effectively. Learn more in [Provisioning rules](../integrations/p1_rules_provisioning.html). #### November 7 ##### PingOne Forms now support dynamic agreements New PingOne When configuring an agreement component for Forms, you can now select **Use Agreement ID from Form node**. In DaVinci, the Form connector's **Show Form** node lets you select a specific agreement or provide a dynamic agreement ID using a variable. This enhancement enables you to reuse one agreement form for any flow or user context. For example, you can now dynamically present different agreements to different populations. #### November 5 ##### Risk policy validation New PingOne Protect When you save a risk policy, PingOne Protect now checks the scores you assigned to various risk predictors. If the scores assigned are likely to lead to missing high-risk or medium-risk situations, PingOne Protect displays a message that identifies the problem and asks if you want to adjust the assigned scores before saving the risk policy. #### November 4 ##### Gateway alerts New PingOne You can now configure gateway alerts to send error, warning, and information email notifications. Learn more in [Gateways](../integrations/p1_gateways.html). ### October 2025 #### October 30 ##### Forms can only contain a single Agreement component Info PingOne Previously, you could add multiple **Agreement** components to a single form. This made it difficult to determine which agreement ID was output by the Show Form node. Now, you can add only one **Agreement** component to each form. The agreement ID is output in a predictable location with a clear name. This change also supports an upcoming ability to control the agreement selection from the Show Form node. ##### Data-Based Identity Verification New PingOne Verify You can now configure **Data-Based Identity Verification** in your PingOne Verify policy. **US Data-Based Identity Verification** allows you to verify user identity attributes with trusted third-party data. Learn more in [Creating a verify policy](../identity_verification_using_pingone_verify/p1_verify_creating_verify_policy.html). #### October 29 ##### Audit data retrieval changes New PingOne Previously announced changes to how audit events older than 14 days are retrieved are now live. The following updates were made: ###### Querying recent data * Audit data up to 14 days old is available immediately from the PingOne admin console or using the PingOne APIs. * You can request a maximum of 14 days of data at a time. That is, whether you enter a relative or a date-specific time range, the time period can't exceed 14 days. ###### Retrieving older data * Audit data older than 14 days is still available, but must be requested from the **Audit** page or using the PingOne APIs and is subject to a longer retrieval time. * To start a retrieval of older data, use the date filters on the **Audit** page. Messages in the UI will let you know if data is immediately available or requires retrieval. * API GET operations for events older than 14 days require an additional request parameter to start the retrieval process. Learn more in [Audit Activities](https://developer.pingidentity.com/pingone-api/platform/audit-activities.html) in the PingOne API documentation. * You can't request additional data while another request is pending. * You'll be notified by email when the data is retrieved, and at that point you can run queries against the data from the **Audit** page or using the APIs. This data is available for 14 days from the retrieval date. * Depending on the number of days requested and the average number of events logged per day, the process can take from 2 to 24 hours. ###### Querying older data * After the retrieval is complete you can run queries from the **Audit** page as normal against a maximum of 14 days of data. This maximum includes both immediately available data and retrieved data. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingOne maintains auditing data for end-user events for 90 days by default. Historical dashboard data and administration configuration change data is retained for two years. These retention periods haven't changed.PingOne DaVinci events are not stored in PingOne. Learn more about DaVinci data retention and retrieval in the [DaVinci release notes](https://docs.pingidentity.com/davinci/release_notes/davinci_release_notes.html#september-9) and the [Debugging and analytics](https://docs.pingidentity.com/davinci/davinci_best_practices/davinci_best_practices_debugging_and_analytics.html) section of the DaVinci documentation. | #### October 28 ##### Support for Microsoft Entra ID hybrid join New PingOne PingOne SSO As organizations expand their on-premise Active Directory (AD) infrastructure to Microsoft Entra ID in the cloud, you can optionally hybrid join your organization's Windows devices to Entra ID to simplify device management. As an identity provider (IdP) federated with Entra ID, PingOne can now issue security tokens for the hybrid join process, helping to accelerate adoption of Entra ID features and cloud services. This new capability is available as a limited access release for customers with a PingOne for Workforce Plus or Premium license in the North America region only. Learn more in [Setting up PingOne as the federated IdP for Microsoft Entra ID](../use_cases/p1_microsoft_entra_hybrid_join.html). ##### Improved PingOne DaVinci integration Improved PingOne DaVinci You can now apply a PingOne DaVinci policy to the Microsoft 365 application. Learn more in [Adding Microsoft 365 to allow users to sign on using PingOne](../applications/p1_adding_microsoft_365.html) and [Launching a PingOne DaVinci flow with a redirect](https://docs.pingidentity.com/davinci/integrating_flows_into_applications/davinci_launch_flow_redirect.html). #### October 26 ##### Updates to MFA status following migration of an existing PingID account to an existing PingOne environment Improved Strong Authentication PingID We've made some changes as to how the MFA status is updated following the integration of an existing PingID account to an existing PingOne environment, or migration of PingID management from the legacy PingID admin portal to a PingOne environment. Learn more in [What you need to know before integrating or migrating a PingID account into a PingOne environment](../strong_authentication_mfa/p1_what_to_know_before_integrating_existing_pid_account_to_p1.html). #### October 24 ##### Updated LDAP gateway client application New PingOne We've released LDAP Gateway client application version 4.0.3. This version fixes an issue where provisioning users from LDAP to PingOne failed to sync the Active Directory `memberOf` attribute, which potentially resulted in a loss of group or role-based application access. | | | | - | ------------------------------------------------------------------------------------------------- | | | LDAP Provisioning customers shouldn't use LDAP Gateway 4.0.2 and are advised to upgrade to 4.0.3. | #### October 23 ##### Import and export forms with DaVinci Flows New PingOne We've made it easier to share your forms, such as when sending your flows to the Ping Identity Support team or collaborating with an implementation partner. This change will also allow Ping Identity to add flows to the [Ping Identity Marketplace](https://marketplace.pingone.com/browse?products=davinci\&contentType=davinciConnectors) that include easy drag-and-drop forms. Now, when exporting a DaVinci flow, the forms associated with any **Show Form** nodes are included in the exported flow JSON file. When importing a flow, DaVinci imports any forms into **User Experience > Forms**. This feature is designed to share forms across unrelated environments, so exported forms don't include external IdP information or custom user attributes. Learn more in [Importing and exporting forms](../user_experience/p1_import_export_forms.html). #### October 22 ##### Support added for up to 100 million identities per environment Improved PingOne PingOne now supports up to 100 million identities in a single environment. Learn more in [PingOne standard platform limits](../getting_started_with_pingone/p1_platform_limits.html). #### October 21 ##### OAuth 2.0 authorization server metadata Info PingOne PingOne now includes OAuth 2.0 authorization server metadata in its `/.well-known/oauth-authorization-server` response. This adds support for the OAuth metadata URI to enable consistency with the OAuth 2.0 metadata specification and interoperability across Ping Identity products. #### October 20 ##### Groups UI enhancements Improved PingOne We've made several improvements to the UI for the **Groups** page to give you a more organized and efficient experience. The groups list is now displayed in columns that bring important group information to the surface. Customize the display by showing and hiding columns as needed. Use our new filters to quickly refine the list further and show only the groups you want to see. Learn more in [Groups](../directory/p1_groups.html). #### October 17 ##### Audit data retrieval changes deployed in Singapore region New PingOne The audit retrieval changes announced on [October 2](#audit-data-retrieval-changes-coming) have been deployed in the Singapore region. The changes will be deployed to the remaining regions by the end of the month. #### October 7 ##### Option to accept ACS URLs found in signed SAML AuthnRequests New PingOne PingOne SSO PingOne now supports always accepting an assertion consumer service (ACS) URL in a signed SAML AuthnRequest regardless of whether the ACS URL is added on the application's **Configuration** tab. This new setting is useful if a service provider (SP) generates ACS URLs dynamically. Learn more in [Editing an application - SAML](../applications/p1_edit_application_saml.html). #### October 2 ##### Audit data retrieval changes coming New PingOne Starting October 27, 2025, the following changes will be made to how audit events older than 14 days are retrieved: * Audit data up to 14 days old will be available immediately from the PingOne admin console or using the API, as it is today. * Audit data older than 14 days will still be available, but must be requested from the **Audit** page or using the API and is subject to a longer retrieval time. * You'll be able to request a maximum of 14 days of data from storage at a time. That is, whether you enter a relative or a date-specific time range, the time period can't exceed 14 days. * You can't request additional data while another request is in progress. * You can run queries against a maximum of 14 days of data. This maximum includes both immediately available data and retrieved data. API GET operations for events older than 14 days will require an additional request parameter to start the retrieval process. After you request data older than 14 days, you'll be notified by email when the data is accessible, and at that point you can run queries against the retrieved data from the **Audit** page or using the API. This data will be available for reporting for 14 days from the retrieval date. Depending on the number of days requested and the average number of events logged per day, the process can take from 2 to 24 hours. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingOne maintains auditing data for user events for 90 days by default. Historical dashboard data and administration configuration change data is retained for 2 years. These retention periods are not changing.PingOne DaVinci events are not stored in PingOne. Learn more about DaVinci data retention policies in the [DaVinci release notes](https://docs.pingidentity.com/davinci/release_notes/davinci_release_notes.html#september-9). | ### September 2025 #### September 30 ##### Domains Improved PingOne We modernized **Domains** in PingOne with a new look and feel. Learn more in [Domains](../settings/p1_domains.html). ##### Updated LDAP gateway client application New PingOne We've released LDAP Gateway client application version 4.0.2. This version includes: * A new Java required version, Java 21 LTS. * Upgraded packages to resolve security vulnerabilities. * Enhancement to LDAP connection pool and WebSocket connection logic to maintain healthy connections. * Health actuator endpoints to support container orchestration health checks. Learn more in [LDAP gateway health endpoints](../integrations/p1_ldap_gateway_endpoints.html). ##### Authorize gateway 1.2.0 New PingOne PingOne Authorize We've released Authorize gateway version 1.2.0. This version includes: ###### Bulk decision requests Authorize gateway instances now support bulk decision requests, allowing you to evaluate multiple access scenarios in a single API call. Bulk requests reduce both network overhead and overall decision latency, improving performance in high-throughput environments. Learn more in [Making decision requests to Authorize gateway instances](../integrations/p1_make_decision_requests_to_authz_gateway_instances.html). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------- | | | You can find additional release details in [Authorize gateway version history](../integrations/p1_authz_gateway_version_history.html). | ###### End of support notice Support for the previous Authorize gateway version (1.1.0) will end on October 31, 2026. Learn more in [Authorize gateway support lifecycle](../integrations/p1_authz_gateway_support_lifecycle.html). ##### Improve cache performance with header exclusions New PingOne Authorize You can now improve the cache hit rate by excluding certain HTTP headers from the authorization service cache key. This reduces unnecessary cache misses caused by headers that are unique to each request, change frequently, or don't affect the service response. Learn more in [Service caching](../authorization_using_pingone_authorize/p1_az_service_caching.html). #### September 15 ##### API Usage Dashboard and Maximum Throughput Assurance New PingOne To ensure that every PingOne customer has the share of resources they need at any given time, PingOne sets rate limits based on your purchased PingOne products, as well as the product APIs licensed in your product license. Rate groups, which are groups of endpoints related to a particular product or service, each have their own rate entitlements. Our new **API Usage Dashboard** lets you monitor your peak usage against the established entitlements so that you can plan effectively. Additionally, a new **Rate Limits and Allowed IPs** page in **Settings** allows you to bypass per IP rate limits for server-sourced traffic. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Rate entitlement enforcement will begin at some point after September 2025. You can use the **API Usage Dashboard** now to track your usage and determine if the existing entitlements will be sufficient to meet the needs of your business when enforcement starts. You can also use the **Rate Limits and Allowed IPs** page for reference now and preconfigure the **Server-Sourced Traffic** list, if applicable to your deployment. The list will go into effect on the enforcement date.Ping has established base entitlements that should provide adequate resourcing for the majority of our customers. Customers requiring additional capacity should contact Sales about our Maximum Throughput Assurance program. | PingOne Integration Kits have been updated to support this new rate limiting model. Go to the [Ping Identity Integration Directory](https://support.pingidentity.com/s/marketplace-integration-home-page) and download the latest versions of your integration kits. Learn more about rate limiting in PingOne in the following topics: * [API Usage Dashboard](../settings/p1_api_usage_dashboard.html) * [Rate Limits and Allowed IPs](../settings/p1_rate_limits.html) * [Rate Limiting](https://developer.pingidentity.com/pingone-api/platform/rate-limiting.html) (in the PingOne API documentation). #### September 14 ##### Migration now completes successfully even if some user accounts fail to migrate Improved Strong Authentication PingID When migrating a PingID account to a PingOne environment, PingOne allows migration to complete even if a small number of the PingID accounts fail to migrate successfully. To identify any user accounts that failed to migrate, Admins should check the PingID administrative activity report. The report includes the total number of failed accounts as well as an entry identifying the username for each failed account. Learn more in [Considerations after integrating or migrating a PingID account into a PingOne environment](../strong_authentication_mfa/p1_migrate_pingid_account_postrequisites.html). #### September 9 ##### Backward compatibility for fallback to next device for PingID accounts Improved Strong Authentication PingID We've added backward compatibility for PingID accounts on PingOne when the MFA policy is configured to **User selected default**. With this update, if a user signs in from a browser or application that does not support WebAuthn, they are now automatically prompted to authenticate with the next available method in their device list, instead of being asked to manually select a different device. #### September 5 ##### Bring your own authorization server New PingOne Authorize API Access Management now validates access tokens from third-party authorization servers. This allows integration with PingOne Advanced Identity Cloud, PingOne Advanced Services, or your current third-party identity provider while leveraging PingOne Authorize for centralized API access control. Token claims are automatically mapped to built-in attributes, making them easy to use in claims-based access control policies. Learn more in [External OAuth servers in PingOne Authorize](../authorization_using_pingone_authorize/p1_az_external_oauth_servers.html). #### September 2 ##### Require users to perform MFA to manage MyAccount New PingOne MFA You can now configure the **Self-Service-MyAccount** application to require users to authenticate with MFA before they can manage their authentication methods for customer (PingOne MFA) use cases. Learn more in [Require users to perform MFA to manage MyAccount page (Customer only)](../user_experience/p1_require_mfa_to_access_myaccount.html). ##### Custom notification providers - support for additional authorization methods New PingOne MFA When defining a custom provider for email or SMS/voice notifications, you can now also use providers that require OAuth2 authorization (Client Credentials) or the use of a custom header. ### August 2025 #### August 27 ##### Authorize gateway 1.1.0 New PingOne PingOne Authorize We've released Authorize gateway version 1.1.0. This version includes the following features and enhancements. ###### More powerful policy authoring You can now leverage PingOne user attributes, resolvers, the **Is Member Of** and **Is Not Member Of** condition comparators, and **Connector** service risk signals in policies and rules. Learn more in [Policies published to Authorize gateways](../integrations/p1_policies_published_to_authz_gateways.html). Service caching TTLs and timeouts for calls to PingOne are now configurable, giving you more control over performance and reliability. Learn more in [Service caching and timeouts for Authorize gateway instances](../integrations/p1_service_caching_authz_gateway_instances.html). ###### More granular control over administrator permissions The new built-in **Authorize Gateway Policy Evaluator** role grants least-privilege permissions for reading Authorize gateways and authorization deployments. For more advanced permissions, such as reading user details or evaluating risk scores, you can add custom roles on the new **Roles** tab. Learn more in [Managing Authorize gateway roles](../integrations/p1_manage_authz_gateway_roles.html). ###### Enhanced logging All service calls to PingOne are now logged, improving visibility into policy interactions with PingOne, such as user attribute resolution and group membership checks. Learn more about the `PINGONE_SERVICE_AUDIT` log in [Logging for Authorize gateway instances](../integrations/p1_logging_authz_gateway_instances.html). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------- | | | You can find additional release details in [Authorize gateway version history](../integrations/p1_authz_gateway_version_history.html). | ###### End of support notice Support for the previous Authorize gateway version (1.0.0) will end on August 31, 2026. Learn more in [Authorize gateway support lifecycle](../integrations/p1_authz_gateway_support_lifecycle.html). #### August 26 ##### Support added for RFC 7914 password encoding format New PingOne We now support [RFC 7914](https://datatracker.ietf.org/doc/html/rfc7914.html) for Scrypt password encoding. The RFC-compliant encoding format uses the new `SCRYPT_RFC7914` identifier to distinguish it from the earlier encoding format using the `SCRYPT` identifier. `SCRYPT` uses the pre-RFC encoding format known as `c2NyeXB0`. Learn more in [Scrypt](https://developer.pingidentity.com/pingone-api/platform/reference/password-encoding.html#scrypt-encoding) in the PingOne API documentation. #### August 19 ##### Detection of compromised accounts New PingOne Protect The **User-Based Risk Behavior** predictor now includes an option to have PingOne Protect attempt to detect compromised user accounts and take this into account when calculating the risk level for the predictor. #### August 18 ##### Evaluate all child authorization policies or rules New PingOne Authorize By default, combining algorithms stop evaluating once a final decision is reached. The new **Evaluate All** option overrides this behavior, ensuring that all child policies or rules are evaluated. This is useful for scenarios like fraud control, where full evaluation is required for auditing, analysis, and more precise control over when policy statements are generated, without affecting the final decision. Learn more in [Combining algorithms](../authorization_using_pingone_authorize/p1az_combining_algorithm.html). #### August 10 ##### Passcode grace period New PingOne MFA To cover time synchronization issues, you can now configure the grace period during which the passcode can still be used even after the passcode has been refreshed. You can find details in [Editing an application - Native](../applications/p1_edit_application_native.html) and [(Workforce Only) Configuring the PingID mobile application settings](../strong_authentication_mfa/p1_configuring_pid_mobile_application.html). ### July 2025 #### July 31 ##### Simplified native mobile app configuration and integration New PingOne We've enhanced the application configuration and integration process for native mobile applications. The new **Integrate** tab for native applications provides access to a selection of prefilled code examples, instructions, and sample apps for both iOS and Android. When the required configuration steps are completed for the application, you can select one of the following options in the **Language/Framework** list on the **Integrate** tab: * **iOS - Swift - Embedded Login** (DaVinci) * **iOS - Swift - OIDC Direct Login** * **Android - Kotlin - Embedded Login** (DaVinci) * **Android - Kotlin - OIDC Direct Login** Each snippet contains the **Client ID**, **Redirect URI**, and **OIDC Discovery Endpoint** for the application, and these values update dynamically when you change the application configuration. Additionally, the instructions for each snippet include links to the relevant SDK tutorials that walk you through the steps to complete the integration. These improvements reduce the risk of copy-paste errors, shorten the time to first sign-on, and encourage a deeper use of DaVinci orchestration by eliminating the need to use custom REST calls. Learn more by going to **Applications > Applications** in the PingOne admin console, selecting or creating a native application, and clicking the **Integrate** tab. Learn more about configuring native applications in [Editing an application - Native](../applications/p1_edit_application_native.html). #### July 27 ##### Senders UI enhancements Improved PingOne We've made some improvements to the **Senders** UI for clarity and ease of use. Learn more in [Senders](../settings/p1_sender.html). ##### PingOne MFA mobile SDK 1.11.1 New PingOne MFA On July 7, we released version 2.1.1 of the PingOne MFA mobile SDK for Android, removing custom support for Certificate Transparency verification, which was unstable and caused communication issues. Because many customers are still using version 1.x of the PingOne MFA mobile SDK, we've now also released version 1.11.1 of the SDK, without support for Certificate Transparency verification. You can enable Certificate Transparency verification natively in Android 16 as described in the [Opt in to certificate transparency](https://developer.android.com/privacy-and-security/security-config#CertificateTransparencySummary) section of the Android network security configuration guide. To avoid end-user issues and disruptions, upgrade your apps using version 1.x of the SDK to version 1.11.1 as soon as feasible. #### July 23 ##### Conditional component visibility in PingOne Forms Improved PingOne Conditional component visibility allows you to create a form in PingOne Forms with components that you can configure to be hidden or shown in a user-facing form based on Boolean values pulled from your DaVinci flow. Learn more in [Configuring conditional component visibility](../user_experience/p1_configuring_conditional_component_visibility.html). ##### Identifier First authentication enabled in Administrator Security Improved PingOne We've updated the Administrator Security settings for the hybrid options (**PingOne & External IdP** and **PingID & External IdP**) to enable Identifier First authentication. When enabled, you can identify users before you authenticate them and configure discovery rules that take different authentication actions based on who the user is. Learn more in [Configuring administrator security](../settings/p1_configure_administrator_security.html) and [Configuring administrator security - PingID](../settings/p1_configure_administrator_security_pingid.html). #### July 16 ##### Identity data matching New PingOne Verify You can now configure **Identity Data** in your PingOne Verify policy. **Data Matching** allows you to compare identity data extracted during verification with an identity record. Based on the results of this comparison, you can define policy logic to determine verification outcomes (pass or fail). Learn more in [Creating a verify policy](../identity_verification_using_pingone_verify/p1_verify_creating_verify_policy.html). #### July 15 ##### Support for multiple custom resources in a single access token New PingOne OIDC-based applications in PingOne can now request an access token to access multiple custom resources in a single request. This capability simplifies the application authentication and authorization process and reduces the number of requests an application must make. Learn more about the **Request scopes to access multiple resources** option in [Editing an application - OIDC](../applications/p1_edit_application_oidc.html). #### July 14 ##### Support for multiple MFA policies Improved Strong Authentication PingID PingOne now supports multiple MFA policies for Workforce (PingID) environments. Legacy security key and FIDO2 biometrics authentication methods aren't supported with multiple MFA policies, so make sure to update any existing MFA policies that don't yet support FIDO2. Learn more in [Configuring an MFA policy for strong authentication](../strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html). ##### Use of risk policies with an MFA-only license New Strong Authentication PingID PingOne Protect For administrators with a Workforce (PingID) environment and an MFA-only license, you can now create targeted risk policies for authentication flow types. With an MFA-only license you can use a limited subset of the predictors available with a full PingOne Protect license. You can also define the applications and user groups to which the risk policy will apply. This feature is available as part of a limited access release to PingID administrators who created a new PingOne environment with PingID enabled, or migrated their PingID account to PingOne. To enroll in the limited access release, contact your Ping Identity representative. Learn more in [Creating a risk policy with an MFA-only license](../threat_protection_using_pingone_protect/p1_creating_risk_policies_for_mfa_only.html). #### July 9 ##### Provisioning to ZScaler using SCIM New PingOne You can now use a SCIM connection to enable outbound provisioning from PingOne to a ZScaler ZPA and ZScaler ZIA account. Learn more in [SCIM certified provisioners](../integrations/p1_scim_certified_provisioners.html). #### July 8 ##### Using expressions to retrieve Microsoft Entra attributes Improved PingOne PingOne supports using expressions to retrieve additional attributes from Microsoft Entra when [Microsoft is configured as an identity provider in PingOne](../integrations/p1_add_idp_microsoft.html). PingOne now supports three types of Microsoft Entra attributes: * Extension attributes * Directory extensions * Schema extensions Learn more in [Using expressions to retrieve Microsoft Entra attributes](../pingone_expression_language/p1_expressionlang_expressions_concatenation.html#p1-expressions-microsoft). #### July 7 ##### Targeted risk policies New PingOne Protect You can now create targeted risk policies with PingOne Protect to define risk policies for different targets, including flow types, applications being accessed, and user groups to which the risk policy will apply. During risk evaluations, PingOne Protect evaluates targeted policies in the order displayed in the **Targeted Policies** list until the target criteria are met for a policy. Learn more in [Adding a risk policy](../threat_protection_using_pingone_protect/p1_protect_adding_risk_policy.html). ##### Mitigations in risk policies New PingOne Protect PingOne Protect now supports adding mitigations to risk policies. A mitigation is an action that you recommend if a given condition is met, such as deny access if a certain predictor returns high risk. When the condition is met, the recommended action you created is returned in the risk evaluation response. Learn more in [Adding a risk policy](../threat_protection_using_pingone_protect/p1_protect_adding_risk_policy.html). ##### External applications New PingOne The **Application Portal** page has been renamed **External Applications**. You can now use the page also to define applications that you don't want to include in the application portal but want to include in contexts such as targeted risk policies. Learn more in [External applications](../applications/p1_external_applications.html). ##### PingOne MFA mobile SDK 2.1.1 New PingOne MFA We've released version 2.1.1 of the PingOne MFA mobile SDK. This version includes the following features and enhancements: ###### Android Removed custom support for Certificate Transparency verification, which was unstable and caused communication issues. Certificate Transparency verification can now be enabled natively in Android 16 as described in the [Opt in to certificate transparency](https://developer.android.com/privacy-and-security/security-config#CertificateTransparencySummary) section of the Android network security configuration guide. To avoid end user issues and disruptions, it is highly recommended that app owners upgrade to this version of the SDK as soon as feasible. ###### iOS: Fixed an issue that was causing pairing of devices to fail in PingOne's Australia and Canada regions. Learn more in the documentation for the [Android](https://github.com/pingidentity/pingone-mobile-sdk-android/blob/master/release-notes.md) and [iOS](https://github.com/pingidentity/pingone-mobile-sdk-ios/blob/master/release-notes.md) versions. #### July 3 ##### New PingOne Verify settings available in themes Improved PingOne You can now update the appearance of the image on your identity verification pages to better match your company styles and branding. Learn more in [Branding and Themes](../user_experience/p1_branding_themes.html). #### July 2 ##### Updated UI for Branding and Themes Improved PingOne We've updated the **Branding and Themes** UI with a new look and feel for a more streamlined experience. This new UI includes search and sort capabilities that make it easier to find the theme you need. It also lets you preview the appearance of your PingOne forms when you switch themes or update theme properties. Learn more in [Branding and Themes](../user_experience/p1_branding_themes.html). #### July 1 ##### New Help Desk Admin role added New PingOne We've created the **Help Desk Admin** role to delegate access for helping end users authenticate with PingOne. Administrators with this role can manage MFA methods and devices for users and reset passwords. This role can be assigned at the environment or population level. Learn more in [Built-in PingOne administrator roles](../directory/p1_roles.html#_built_in_pingone_administrator_roles). ### June 2025 #### June 30 ##### New Singapore domain New PingOne We've expanded to add a new data residency region for Singapore. Customers can now register new PingOne organizations with data residency and processing contained within Singapore. These organizations will use the new .sg domain name. Learn more about regional domains in [Organizations](../introduction_to_pingone/p1_introduction.html#p1-organizations). #### June 25 ##### OIDC session management New PingOne PingOne now supports OpenID Connect (OIDC) session management, allowing OIDC-based applications in the same browser mode to monitor the user session status. When enabled, PingOne includes the `session_state` parameter in its authorization response with the session status, such as `unchanged`, `changed`, or `error`. Learn more about OIDC session management in [Editing an application - OIDC](../applications/p1_edit_application_oidc.html). #### June 22 ##### PingOne MFA mobile SDK 2.1 New PingOne MFA We've released version 2.1 of the PingOne MFA mobile SDK. This version includes the following features and enhancements: * Security enhancements * Bug fixes * Support for the new Singapore PingOne region * When developing apps with the MFA SDK, you now need to use version 1.8.1 or later of the SDK. * In the iOS version of the SDK, the `setDevicePairedAfterReinstall` method has been deprecated. Learn more in the documentation for the [Android version](https://github.com/pingidentity/pingone-mobile-sdk-android/blob/master/release-notes.md) and the documentation for the [iOS version](https://github.com/pingidentity/pingone-mobile-sdk-ios/blob/master/release-notes.md). #### June 17 ##### PingOne Notifications - Twilio Verify New PingOne MFA You can now use Twilio Verify for sending PingOne notifications. Learn more in [Using Twilio Verify with PingOne](../settings/p1_using_twilio_verify_for_notifications.html) and in [Phone Delivery Settings](https://developer.pingidentity.com/pingone-api/platform/notifications/phone-delivery-settings.html) in the PingOne developer documentation. #### June 12 ##### Ability to delete translatable keys for language management New PingOne In addition to creating and updating key-value pairs, PingOne **Languages** now includes the ability to delete unwanted or unused keys for a language. Learn more in [Deleting translatable keys](../user_experience/p1_deleting_transtatable_keys.html). #### June 4 ##### Signals (PingOne Protect) SDK - new version for web New PingOne Protect SDK We've released a new version of the Signals (PingOne Protect) SDK for web, 5.6.0. You can find details in the [SDK Changelog](https://developer.pingidentity.com/pingone-api/native-sdks/pingone-risk-sdks/protect_sdk_changelog.html) in the PingOne developer documentation. ##### Multi-factor authentication enforced for all access to the admin console Improved PingOne Per announcements earlier this year, and as part of our continued efforts to support best practice security measures in PingOne, multi-factor authentication (MFA) is now required for all administrators accessing the PingOne admin console. Learn more about configuration options for administrator security in [Administrator security](../settings/p1_administrator_security.html). #### June 3 ##### Virtual server IDs for SAML applications New PingOne You can now add custom virtual server IDs to SAML applications. This new capability allows you to identify your server differently when connecting to the same SAML application in various scenarios, such as from different environments or for different populations. Virtual server IDs also provide configuration flexibility and added protection against unauthorized access. Learn more in [Editing an application - SAML](../applications/p1_edit_application_saml.html) and [Virtual server IDs for SAML applications](../applications/p1_virtual_server_ids_saml_apps.html). ##### Configure the one-time passcode (OTP) length for Workforce use cases New Strong Authentication PingID You can now configure the length of the one-time passcode for Email, SMS, and Voice authentication methods in workforce use cases (PingID). This feature was previously only available for customer use cases. Learn more in [Configuring an MFA policy for strong authentication](../strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html). ### May 2025 #### May 28 ##### SMS notifications for users in China Info PingOne To adjust to regulatory changes, SMS notifications sent with the default Ping server to users in China now use the Twilio SMS template. If you use the Ping server for sending PingOne SMS notifications, your users in China will now see notifications branded with Twilio's name rather than Ping Identity. ##### Major update to PingOne Forms Improved PingOne DaVinci ###### New form templates When you create a form in PingOne, there are now 18 templates to get you started. The following 11 templates have been added: * Two new MFA Device Selection templates. These templates prompt the user to select an MFA method to set up or authenticate with. Powered by your MFA policy. * Six new OTP Prompt templates. These templates present a UI for a user to register or authenticate with a one-time passcode (OTP) using email, text message, or voice call. The templates allow you to include the user's phone number or email address as dynamic text and link to a passcode resend branch in your flow. * Two new Authenticator App Prompt templates. These templates prompt the user to scan a QR code to set up or authenticate with a TOTP authenticator app. * One new Magic Link Prompt template. This template prompts the user to click a magic link received by email. ###### New components The following seven components have been added to the form builder: * Fields * **Checkbox**: Show a single checkbox with a rich text label. This component allows you to link to an externally hosted Terms and Conditions document. Learn more in [Form configuration](../user_experience/p1_form_configuration.html). * Toolbox * **Agreements**: Show the title and full body text of a PingOne agreement. * **Phone number input**: Prompt a user to select a country code and enter their phone number. * **Polling**: Show a spinner or animated dots and enable Polling and Challenge controls in the Show Form node. Loop the flow or pause on this form while another branch of the flow finishes. * **QR code**: Show a scannable QR code that contains a value from your DaVinci flow, with optional human-friendly fallback text. * **MFA Device Selection - Registration and Authentication**: Prompt the user to select an MFA method to set up or authenticate with. Powered by your MFA policy. * **FIDO2**: Prompt a user to set up or authenticate with a FIDO2 authentication method, such as biometrics or a security key. Learn more in [Form configuration](../user_experience/p1_form_configuration.html). ###### Improved components * **Translatable Rich Text**: You can now select an icon to show with your rich text. * **Submit Button**: You can now remove the **Submit Button** to make room for a different submit method, such as MFA Device Selection, Polling, or FIDO2. Only one submit method is allowed per form. * **Submit Button**, **Flow Button**, and **Flow Link**: Enabling **Override Default Styles** doesn't affect the look of your form until you change a value. You can also override some colors while keeping others linked to the theme. Learn more in [Form configuration](../user_experience/p1_form_configuration.html). ###### New features PingOne Forms now supports dynamic text in the **Translatable Rich Text** component and field labels. This update allows you to take a value from your DaVinci flow, such as the user's first name, and show it in the form as read-only text or target for a hyperlink. Learn more in [Using dynamic text](../user_experience/p1_using_dynamic_text.html). ###### Other improvements We've improved the order and grouping of PingOne attributes on the **Fields** tab. ###### Changes to the Form connector's **Show Form** node * We've added direct links to the **Forms** and **Branding and Themes** sections of the PingOne admin console. * We've renamed the **Pre-Populate Field Values** table to **Initial Field Values** and removed the unnecessary heading with the add and edit buttons. * We've added a **Dynamic Text** table. This lets you populate dynamic text with a value from your flow. * We've added properties to support the new components. #### May 27 ##### Sign-off method for application portal and self-service (MyAccount app) New PingOne PingOne SSO You can now choose the sign-off method PingOne uses when end users sign off from the application portal and the PingOne Self-Service - MyAccount app. You can select either **OIDC Logout** or **SAML 2.0 Single Logout** on the following pages in PingOne: * **Applications > External Applications**: Learn more in [Configuring the application portal](../applications/p1_configuring_the_application_portal.html). * **User Experience > Self Service**: Learn more in [Configuring the Self Service portal end-user experience](../user_experience/p1_configure_self_service.html). ##### SAML 2.0 SLO support with the PingOne Authentication connector New PingOne PingOne SSO DaVinci PingOne now supports SAML 2.0 single logout (SLO) from identity providers (IdPs) configured as part of a DaVinci flow using the PingOne Authentication connector. End users can now sign off from IdPs through SAML 2.0 SLO for flows configured using the Sign On with External Identity Provider capability from the PingOne Authentication connector. Learn more about SAML 2.0 SLO in [Applications](../applications/p1_saml_2_0_slo.html) and [External IdPs](../integrations/p1_saml_slo_externalidp.html). #### May 20 ##### MFA with multiple authentication policies Info PingOne MFA To enhance security, in cases where multiple authentication policies are defined for accessing an application, PingOne no longer proceeds to the next authentication policy if a user has an MFA device that is unreachable, locked, or blocked. #### May 16 ##### Verify users in India with Aadhaar verification using PingOne Verify policies Improved PingOne Verify You can now verify users in India using PingOne Verify policies. Indian residents are issued an Aadhaar ID, which is a 12-digit identification number. When you configure Aadhaar verification in PingOne Verify policies, PingOne Verify gains the ability to directly integrate with India's Aadhaar National Registry. Learn more in [Creating a verify policy](../identity_verification_using_pingone_verify/p1_verify_creating_verify_policy.html). #### May 13 ##### FIDO Attestation improvements Improved Strong Authentication PingID PingOne MFA The following improvements are now available in FIDO2 policy: * Add enterprise attestation You can now verify that a device is an Enterprise FIDO device. You can also check that the device matches the serial number configured for the user. * Additional User Display Name attributes You can now include the **Environment Name** and **Organization name** with the **User Display Name**. This information displays when a user registers their FIDO device. Learn more in [Adding a FIDO policy](../authentication/p1_creating_a_fido_policy.html) #### May 12 ##### Use of short codes for PingOne SMS notifications - United States and Canada Info PingOne MFA To improve delivery reliability for PingOne SMS notifications sent with the default Ping server, the use of short codes has been expanded. If you use the Ping server for sending PingOne SMS notifications, and you haven't customized notification content, your users in the United States and Canada might see notifications coming from a different number than previously. #### May 11 ##### OATH token authentication for customer use cases New Strong Authentication PingOne MFA OATH token authentication is now available for customer (PingOne MFA) use cases. Learn more in [Configuring OATH token authentication](../strong_authentication_mfa/p1_pid_oath_tokens.html) #### May 7 ##### Administrator Security enhancements Improved PingOne We've added a new **Limit MFA to specific populations** setting for environments using the **PingOne & External IdP** option for Administrator Security. If you select this option, you can select specific populations that will require secondary authentication through PingOne after the initial authentication with the IdP. Users in populations that are not selected will authenticate only once, through the IdP. Learn more in [Configuring administrator security](../settings/p1_configure_administrator_security.html). #### May 1 ##### Invite administrators to register with PingOne New PingOne You can now invite other administrators to register for PingOne. To use this feature, you must use PingOne as your identity provider, have [administrator security](../settings/p1_administrator_security.html) enabled with PingOne or a hybrid authentication source, and have the appropriate permissions. In the invitation, provide their first and last name, their email address, and specify the administrator roles that you want the administrator to have. You can also set an expiration time on the invitation. The maximum time allowed is 24 hours. The new administrators receive an email indicating that they were added as an administrator in PingOne. The email contains a registration link and instructs them to click the link, copy the invite code, paste it into the appropriate field, and create a password to complete the registration process. Learn more about this process in [Inviting administrators to register](../getting_started_with_pingone/p1_manage_administrators.html#invite_admin) and [Accepting the administrator account registration](../getting_started_with_pingone/p1_manage_administrators.html#accept_invitation). The PingOne administrator **Getting Started** experience has also been updated and now includes this functionality. ### April 2025 #### April 30 ##### Production environment deletion protection Improved PingOne Production environments can now be deleted, but the environment will be in a recoverable state for 30 days before it is permanently deleted. Sandbox environments are still deleted immediately and are not recoverable. Additionally, you can promote Sandbox environments to Production, but you can no longer demote Production environments to Sandbox. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Any Sandbox environment containing production resources or used for production purposes should be promoted to Production to prevent accidental deletion. | Learn more in [Sandbox and Production environments](../introduction_to_pingone/p1_introduction.html#p1-env-types), [Deleting an environment](../settings/p1_deleteenvironment.html), and [Recovering a deleted Production environment](../settings/p1_recover_deleted_production_environment.html). #### April 29 ##### Support for Microsoft Entra ID external MFA with PingOne, PingID, and DaVinci New PingOne SSO DaVinci PingID [External multi-factor authentication (MFA)](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage) allows Microsoft Entra ID users to leverage external authentication providers for MFA. You can now use DaVinci with PingOne SSO and PingID to configure external MFA, formerly known as an external authentication method (EAM), for Entra ID. Learn more in [Setting up PingOne SSO, DaVinci, and PingID as the external MFA provider for Microsoft Entra ID](../use_cases/p1_set_up_external_mfa_provider_microsoft_entra_davinci.html). #### April 28 ##### WhatsApp as an authentication method New Strong Authentication PingOne MFA You can now enable and configure WhatsApp as an authentication so that your users can receive a one-time passcode (OTP) by WhatsApp message. This authentication method is available for customer (PingOne MFA) use cases only, and requires you to have your own WhatsApp Business Account. Learn more in [Configuring WhatsApp authentication](../strong_authentication_mfa/p1-strong-auth_whatsapp.html). ##### Define cooldown period for sending notifications New Strong Authentication PingOne MFA PingID To prevent the malicious use of notifications, you can now define a notification cooldown period during which the user must wait before sending another notification. You can define notification cooldown periods for WhatsApp, Email, and SMS/Voice notifications. Learn more in [Notification Policies](../user_experience/p1_creating_a_notification_policy.html) #### April 24 ##### Administrator Roles UI enhancements Improved PingOne The roles on the **Built-In Roles** tab of the **Administrator Roles** page are now organized into categories that clearly separate the roles used for single sign-on to other Ping products from the main PingOne roles. These categories are also used throughout the UI to simplify role assignment. Learn more in [Administrator Roles](../directory/p1_roles.html). ##### Skip account lock verification during authentication New Strong Authentication PingOne MFA PingID We've added the ability to skip account lock validation when applying an MFA policy. Learn more in [Configuring an MFA policy for strong authentication](../strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html). #### April 22 ##### Support for `x5t` header parameter in OIDC applications New PingOne PingOne can now include the `x5t` header parameter in access tokens, ID tokens, and JSON Web Token (JWT)-based refresh tokens for OIDC-based applications. This new capabiliity improves interoperability with applications, custom resources, or both that require the `x5t` parameter in the digital signature verification process. Learn more in [Editing an application - OIDC](../applications/p1_edit_application_oidc.html). #### April 11 ##### Amazon Web Services integration kit 1.4.0 New PingOne Authorize We've released version 1.4.0 of the Amazon Web Services integration kit. Now you can extend Amazon CloudFront's authorization capabilities by deploying the integration kit as a Lambda\@Edge function. Integrating PingOne Authorize with CloudFront enables optimized content delivery and globally distributed access control of web applications and APIs. Learn more in [Configuring Amazon CloudFront](../authorization_using_pingone_authorize/p1az_configuring_cloudfront_lambda_edge.html). #### April 10 ##### Improvements to PingID OOTB Registration and Authentication DaVinci flows Improved Strong Authentication PingID PingID out-of-the-box (OOTB) registration and authentication flows in DaVinci have been expanded to include: * **FIDO2 (Passkey) support**: FIDO2 device authentication is now supported. * **Rename device during pairing**: The ability for users to specify a nickname for a device during pairing is now supported for PingID. * **PingOne branding support**: PingOne branding and themes are now supported. * **Customizable Settings button**: The MyAccount **Settings** button is now supported. The Settings URL now points to the MyAccount URL and can be customized in the Flow settings if required. * **Define self-enrollment behavior**: Admins can now choose whether users with no paired devices are directed to the registration screen or blocked from registering until they access their MyAccount or MyDevices page. This is defined in the DaVinci Flow settings for the relevant flow. * **OATH resync flow support**: The OATH resync flow isn't supported for OOTB PingID registration and authentication flows. * **Error screen improvements**: Improvements to the error screens are now included in the OOTB PingID registration and authentication DaVinci flows. #### April 9 ##### Updated UI for External IdPs Improved PingOne We modernized **External IdPs** in PingOne with a new look and feel. Learn more in [External IdPs](../integrations/p1_external_idps.html). #### April 2 ##### Early access opt in for new features New PingOne You can now try out new PingOne features before they're released and provide feedback directly to Ping from the admin console. You decide which features to enable during the early access period and the environments in which to enable them. You can also opt out of a previously enabled feature during the early access period. Learn more in [Managing opt-ins for early access features in PingOne](../settings/p1_managing_opt_ins_for_ea_features.html) and [PingOne Early Access Features](../early-access-features/p1_early_access_features.html). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Not all features will be available for early access. Early access feature availability is determined by Ping, and the features you can enable are dependent on a number of factors including licensing, environment configuration, and administrator permissions. All released features are enabled at GA. You can't opt in or out of released features. | ##### PingOne MFA mobile SDK 2.0 New PingOne MFA We've released version 2.0 of the PingOne MFA mobile SDK. This version includes the following features and enhancements: * You can now require users to carry out number matching when authenticating. * Apps can now be configured so the same device can be paired in multiple geographic regions. * Using the PingOne API, you can now cancel an authentication that has already begun. This option can be used for situations where the user wants to change to a different authentication device. Learn more in the documentation for the [Android version](https://github.com/pingidentity/pingone-mobile-sdk-android/blob/master/release-notes.md) and the documentation for the [iOS version](https://github.com/pingidentity/pingone-mobile-sdk-ios/blob/master/release-notes.md). ##### Authentication using number matching New PingOne MFA You can now specify that a mobile push requires the user to match a number that they were shown when requesting access. When you enable this option, you can have users select the correct number from a group of three numbers, or you can require users to actually enter the number that was shown. This feature requires version 2.0 or higher of the PingOne MFA SDK. ##### Pairing mobile device in multiple regions New PingOne MFA When developing mobile apps with the PingOne MFA SDK, you can now configure the apps such that it is possible for the same device to be paired in multiple geographic regions. Learn more about this feature in the documentation for the [SDK for iOS](https://github.com/pingidentity/pingone-mobile-sdk-ios/) and the documentation for the [SDK for Android](https://github.com/pingidentity/pingone-mobile-sdk-android/). This feature requires version 2.0 or higher of the PingOne MFA SDK. ### March 2025 #### March 31 ##### Manually enter number for number matching Improved Strong Authentication PingID You can now configure PingID mobile app's number matching feature to require users to enter the correct number manually, rather than selecting from a list of three numbers. * Learn more in [(Workforce Only) Configuring the PingID mobile application settings](../strong_authentication_mfa/p1_configuring_pid_mobile_application.html). * Learn about the user experience in [Authenticating using number matching](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/main_auth_pid_mobile_app_authentication.html#NumberMatching). ##### Expanded management capabilities for migrated PingID accounts in PingOne New Strong Authentication PingID The ability to migrate existing PingID accounts to a PingOne environment and fully manage them from PingOne is now available for all admins. You can now migrate: * An existing PingID account to a new PingOne environment. * An existing PingID account to an existing PingOne environment. * If you integrated a PingID account with a PingOne environment before March 31, 2025, you can migrate the PingID management from the legacy PingID admin portal to PingOne. Learn more in [Migrating a PingID account from the legacy PingID admin portal to PingOne](../strong_authentication_mfa/p1_integrate_pingid_with_p1.html). #### March 26 ##### Updated LDAP gateway client application New PingOne We've released LDAP gateway client application version 3.4.0. This version includes: * Added `correlationId` to LDAP gateway client application log to help troubleshoot issues. * Upgraded dependencies to improve security. * Updated base image to reduce Docker image size. #### March 25 ##### Specify preferred language for populations New PingOne We've added the ability to select a **Language** for **Populations**, making it easier to specify the preferred language for a user when building authentication experiences in PingOne DaVinci. Learn more in [Managing populations](../directory/p1_manage_populations.html). ##### Manage Microsoft Active Directory user passwords New PingOne For workforce contexts, you can now manage Microsoft Active Directory user passwords using a PingOne LDAP gateway with **User Types**, where the **Password Authority** section is set to **LDAP** and **Password changes from PingOne enabled**. You can enable the following requirements: * **Force password reset on next sign on**: To force users to reset their password, they must first authenticate using the current password. If the user provides the correct current password, they must provide the current password one more time and define a new password. The new password is sent to Active Directory. * **Create or generate password**: When you set a temporary password, it's sent to Active Directory and the user must authenticate using the temporary password. If the user provides the correct current password, the user must re-enter the temporary password and define a new password, which is sent to Active Directory. ##### AAGUID in API responses for FIDO2 devices New PingOne MFA When using the `devices` endpoint to request details of a single MFA device or all MFA devices, responses for activated FIDO2 devices can now include the authenticator attestation identifier (AAGUID) for the type of authenticator. For details, see the new `fidoDeviceMetadata` object under [MFA devices](https://developer.pingidentity.com/pingone-api/mfa/users/mfa-devices.html) in the PingOne API documentation. #### March 23 ##### PingOne Protect (Signals) SDK - new versions PingOne Protect SDK We've released new versions of the PingOne Protect (Signals) SDK: * iOS - 5.3.0 * Android - 5.2.0 You can find details in the [SDK Changelog](https://developer.pingidentity.com/pingone-api/native-sdks/pingone-risk-sdks/protect_sdk_changelog.html). #### March 20 ##### Kong Gateway integration kit enhancement New PingOne Authorize We've released version 1.2.0 of the `ping-auth` plugin for Kong Gateway. This version improves security by supporting referenceable shared secrets in Kong. Learn more in [Configuring Kong Gateway for PingOne Authorize integration](../authorization_using_pingone_authorize/p1az_configuring_kong_for_p1az_integration.html). #### March 19 ##### Configure authentication failure limit for FIDO2 devices Improved Strong Authentication PingID PingOne MFA When configuring an MFA policy, you can now specify the maximum number of times authentication can fail when using a FIDO2 device, before the user is blocked. You can also specify the amount of time the user is blocked from authenticating with that device. Learn more in [Configuring an MFA policy for strong authentication](../strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html). #### March 17 ##### Custom domain infrastructure changes Info PingOne As part of our continued efforts to support best practice security measures in PingOne, we'll be using Cloudflare instead of Amazon CloudFront as our custom domain ingress infrastructure. This change is being deployed in a phased approach and affects you only if you use custom domains. Learn more about custom domains in [Setting up a custom domain](../settings/p1_set_up_custom_domain.html). * **Phase 1**: All custom domains added in PingOne after March 17, 2025 will use Cloudflare instead of CloudFront. There will be no change to existing custom domains in Phase 1. * **Phase 2**: Some time in the next quarter, Ping will release a migration option that will enable you to migrate your existing custom domains to Cloudflare on your own schedule. When Phase 2 is released, detailed migration instructions will be provided. * **Phase 3**: Approximately 1 year after the completion of Phase 2, any custom domains that you haven't yet migrated will be migrated to Cloudflare automatically. ###### Action required In most cases, no action is required at this time, and this change should be largely unnoticeable. However, you should contact your organization's network infrastructure team and direct them to review the [Custom domain migration to Cloudflare](../settings/p1_migrate_custom_domain_to_cloudflare.html) documentation for more information. This content contains details about how to assess whether your network and firewall settings require updates to support the new infrastructure. #### March 10 ##### ID of authenticating device in ID token New PingOne ID tokens now include a new claim called `p1.mfa_device_id`, the ID of the device that was used to authenticate. You can find more information about the content of ID tokens in [ID Token claims](https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/access-tokens-and-id-tokens/token-claims.html). #### March 4 ##### PingID device trust predictor in risk policies New PingOne PingID PingOne Protect For workforce contexts, risk evaluations can now include the new PingID device trust predictor if your users install the PingID device trust agent on their computers. This predictor requires a PingID and PingOne Protect license. Learn more in [Using the PingID device trust agent](../strong_authentication_mfa/p1_using_the_workforce_trust_agent.html), [PingID device trust predictor](../threat_protection_using_pingone_protect/p1_protect_risk_predictors.html#pingid-device-trust), and the [Risk Predictors section](https://developer.pingidentity.com/pingone-api/protect/risk-predictors.html) in the PingOne Protect API documentation. ### February 2025 #### February 25 ##### Language used for notifications Improved PingOne MFA When determining what language should be used for a notification sent to a user, PingOne now takes into account the language preference information included in the Accept-Language header sent by the browser. You can find a full description of the logic used for choosing a language in [Runtime logic for content selection](https://developer.pingidentity.com/pingone-api/platform/notifications/notifications-templates.html#notifications-templates-runtime-logic-for-content-selection) in the API documentation. ##### Push notifications - removal of legacy Google cloud messaging option Info PingOne With Google dropping support for its legacy cloud messaging APIs, native applications in PingOne no longer let you choose between **Cloud Messaging** and **Firebase Cloud Messaging**. The HTTP v1 API is now used for push notifications, and you must provide your Firebase Admin SDK private key. ##### Apply a specific notification policy to an MFA policy Improved Strong Authentication PingOne MFA PingID You can now select which notification policy you want to apply to an MFA policy. Learn more in [Configuring an MFA policy for strong authentication](../strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html). #### February 24 ##### Remember Me option in MFA policies New PingOne MFA You can now use the PingOne API to implement "remember me" functionality in your web applications so that users do not have to authenticate when accessing applications from a remembered browser during the period specified, which can be from one hour to 90 days. If you include this option, use the new **Remember Me Configurations** section when defining MFA policies to specify which policies should allow the option. For instructions on implementing this feature, see [Remembered Devices](https://developer.pingidentity.com/pingone-api/mfa/users/remembered-devices.html). #### February 20 ##### Ability to limit custom role access to Overview page added New PingOne We've added a new **Display Environment Overview** permission that controls access to the **Overview** page for the environment. This permission is included in all built-in administrator roles in PingOne, but you can remove it from custom roles to restrict access to this page. This permission affects visibility in the admin console only and doesn't affect API access. Learn more about built-in and custom roles in [Administrator Roles](../directory/p1_roles.html). #### February 12 ##### Population theme updates Improved PingOne If a population doesn't have a selected theme, the population now uses the active theme for the environment. This update ensures that preferred branding is displayed to users when building authentication experiences in PingOne DaVinci. Learn more in [Managing populations](../directory/p1_manage_populations.html). ##### Using expressions to access authentication JWT for token fulfillment New PingOne You can now use expressions to retrieve information from the authentication JSON Web Token (JWT) for access token and ID token fulfillment. Expressions are supported when using private key JWT and client secret JWT as the token endpoint authentication method. This capability improves interoperability between OpenID Connect (OIDC) applications and resources. Learn more in [Token endpoint authentication methods](../applications/p1_token_endpoint_authentication_methods.html) and [PingOne expression language variables](../pingone_expression_language/p1_expressionlang_variables.html). #### February 5 ##### PingOne Notifications - multiple custom SMS/voice providers New PingOne MFA You can now define up to three custom providers to use for SMS/voice notifications. After you've defined the providers, you can specify in your notification policies the order of provider preference to use in different geographical locations. #### February 4 ##### Multi-factor authentication required for access to admin console - updates Improved PingOne As part of our continued efforts to support best practice security measures in PingOne, we've made the following updates to enhance the multi-factor authentication (MFA) requirements introduced earlier this year: * **Update Admin MFA Settings** **modal**: Prompts administrators to update **Administrator Security** settings when signing on to environments in which enhanced security is not yet enabled. Use the modal to: * **Update Now**: Enforces new default security settings based on current environment policies. Displays information about the authentication policy and settings that will be enabled when you update. The confirmation message redirects you to the **Administrator Security** page so that you can verify the updates and make changes if necessary. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------- | | | This update cannot be reversed from the admin console. Contact Ping Identity Support for changes during the opt-in period (until June 1, 2025). | * **Remind me later**: Delays the update. Administrators will be prompted again in the next browser session. * **Policy mapping changes**: The current default authentication policy for the environment is mapped to the new system security policy to ensure consistency. ###### Action Required Review and update the **Administrator Security** settings to enhance the security of your environments. For assistance, contact Ping Identity Support during the opt-in period. Ping Identity will require MFA for all PingOne administrators as of June 1, 2025. Learn more in the [PingOne administrators MFA requirement - FAQ](https://docs.pingidentity.com/pingone-admin-mfa-faq/p1_mfa_required_for_admins_faq.html). ### January 2025 #### January 31 ##### Access token enhancements Improved PingOne To reduce administrative and development tasks, PingOne now always includes the organization ID and environment ID in its access tokens. The claims are included in access tokens as `org` and `env`, respectively. If your organization's processes require the organization ID, environment ID, or both, you can now retrieve this information by reading the JSON Web Token (JWT)-based access tokens or sending introspection requests and reviewing the results. ##### Role assignment event enhancements Improved PingOne The role events in the PingOne audit report now use human-readable text instead of UUIDs for the role that was created or deleted and the scope or level at which the role change was made. Additionally, you can now easily monitor role assignment events by running a preconfigured audit report directly from the **Administrator Roles** page. Learn more in [Viewing administrator role events](../directory/p1_viewing_admin_role_events.html). #### January 30 ##### Detection of replay attacks Improved PingOne Protect PingOne Protect now detects replay attacks that use an intercepted valid payload from the Signals SDK. #### January 29 ##### Updated defaults for new native applications Improved PingOne When adding a new native application, PingOne creates the application with the following new defaults to align with current security best practices: * **Response Type**: **Code** * **Grant Type**: **Authorization Code** * **PKCE Enforcement**: **S256\_REQUIRED** Existing native applications won't be updated to use the new defaults. You can update the settings for new and existing native applications as needed. Learn more in [Editing an application - Native](../applications/p1_edit_application_native.html). ##### Format of phone numbers in Mexico Info PingOne MFA The format of Mexican phone numbers that was used prior to August 2019 (adding "1" before the area code) is no longer supported. #### January 28 ##### PingID as a digital wallet New PingOne Credentials You can now add PingID as a digital wallet to issue verifiable credentials. Learn more in [Creating a credential](../digital_credentials_using_pingone_credentials/p1_credentials_creating_a_credential.html). ##### Terminate user sessions with only ID token New PingOne You can now enable OIDC-based applications to send a sign-off request for PingOne to terminate a user session using only the ID token. This is most useful for applications that don't have access to the session token cookie. This capability is controlled by a new per-application setting, **Terminate User Session by ID Token**. Learn more in [Editing an application](../applications/p1_editing_applications.html). #### January 21 ##### OIDC-based LinkedIn external identity provider New PingOne The LinkedIn external identity provider (IdP) now uses an OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)*-based connection to allow your users to sign on to an application with LinkedIn. The legacy OAuth 2.0-based IdP connection for LinkedIn has been deprecated. Existing applications using the legacy IdP will continue to work, but new applications default to the new OIDC-based connection. Learn more in [Adding an identity provider - LinkedIn](../integrations/p1_add_idp_linkedin_prereqs.html). #### January 20 ##### Introducing Authorize gateways New PingOne PingOne Authorize We've released Authorize gateway version 1.0.0. To reduce authorization latency when you have demanding performance requirements, you can now deploy authorization policies managed in PingOne to Authorize gateway instances located on-premise or in your private cloud. In highly regulated environments, this also ensures data privacy by keeping sensitive data for authorization decisions within your secure trust boundary. Learn more in [Authorize gateways](../integrations/p1_authz_gateways.html). #### January 14 ##### Custom OAuth parameters for HTTP service requests Improved PingOne Authorize You can now send additional parameters in HTTP service requests. For HTTP services authenticated with the Client Credentials grant type, use the **Custom OAuth Parameters** setting to add custom key-value pairs to the token endpoint request. This level of customization is useful when integrating with authorization servers that enforce specific configuration constraints. Learn more in [Connecting an HTTP service](../authorization_using_pingone_authorize/p1_az_connecting_an_http_service.html). ##### Troubleshooting LDAP authentication Improved PingOne We've added the following information to the gateway client application logs to help solve authentication issues reported by end users. Find out whether a user: * Entered an incorrect username. * Entered a correct username but an incorrect password. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For security reasons, this information is only visible to admins and isn't displayed to end users. The end-user experience remains unchanged. The standard message is `Incorrect username or password. Please try again.` | ##### Improved application management experience Improved PingOne To improve the administrator experience, we've moved application endpoints and URLs from the **Configuration** tab to the **Overview** tab. This makes it easier and faster to navigate to the configuration details you need for day-to-day application management. Learn more in [Viewing application details](../applications/p1_viewapplications.html). #### January 10 ##### Authorization Dashboard enhancements Improved PingOne Authorize We've refreshed the **Authorization Dashboard** to improve your user experience. You can track authorizations and decision counts by date, and view the average execution time for services, in addition to the maximum execution time. Learn more in [Authorization Dashboard](../authorization_using_pingone_authorize/p1_az_dashboard.html). #### January 9 ##### Step-up authentication for APIs New PingOne PingOne Authorize You can now force step-up authentication when users access sensitive resources through APIs. When authenticated users try to access more sensitive resources, such as salary data, health records, or premium content, you can require a higher level of authentication and also set limits on the amount of time allowed since the last authentication event. Use the new **Respond with authentication step-up challenge** statement template to implement step-up authentication challenges in policies that protect API services and operations. Learn more in [Step-up authentication for APIs](../authentication/p1_stepup_authentication_for_apis.html) and [Statement templates](../authorization_using_pingone_authorize/p1az_statement_templates.html). ##### Define Public Key Credential Hints in the FIDO policy Improved PingOne You can now define Public Key Credential Hints. This field allows you to select the authenticating device that your users are most likely to choose during pairing. The selection is considered as a 'hint' to the authenticator. Learn more in [Adding a FIDO policy](../authentication/p1_creating_a_fido_policy.html). ##### RADIUS gateway enhancements New PingOne We've updated the RADIUS gateway client application to version 1.3.0. This version includes the following enhancements: * Support for the use of a forward web proxy server to handle traffic between the RADIUS gateway client and PingOne. * Support for the EAP-MSCHAPv2 protocol when integrating the RADIUS gateway with a Network Policy Server (NPS). Learn more in [RADIUS gateways](../integrations/p1_radius_gateways_intro.html). ##### RADIUS gateway security enhancement Improved PingOne We've made some enhancements to the RADIUS Client security configuration to mitigate the risk of a BlastRADIUS attack. Learn more in [Adding a RADIUS gateway](../integrations/p1_add_radius_gateway.html). ##### RADIUS gateway fails to forward requests to the NPS Server Fixed STAGING-24934 PingOne We've fixed an issue that was preventing RADIUS gateway from forwarding requests to the NPS (Network Policy Server) in instances where the RADIUS client and the NPS shared the same IP address. #### January 6 ##### PingID account in PingOne New Strong Authentication PingOne MFA PingID We've added the ability to create a new PingID account and manage it from a PingOne environment. Many features that were previously managed by the legacy PingID admin portal (on the **Configuration** tab and the **Device and Pairing** tab) can now be managed in PingOne. Administrators can also take advantage of additional functionality available in PingOne including: * PingID accounts in PingOne can now configure the full range of authentication methods from PingOne's MFA policy. * All application-specific configurations can be done from the relevant application on the PingOne **Applications** tab. A PingID mobile application and a PingID desktop application appear in the **Applications** list by default. Learn more in [Configuring the PingID mobile application settings](../strong_authentication_mfa/p1_configuring_pid_mobile_application.html) and [Configuring the PingID desktop application](../strong_authentication_mfa/p1_pid_desktop_app_start.html). * PingID's email, SMS, and voice providers can now be configured from PingOne. Learn more in [Senders](../settings/p1_sender.html). * You can now edit and customize PingID notification templates from PingOne. * You can view MFA dashboards and reporting in PingOne. PingID reports are still available in the legacy PingID admin portal. A small number of features are still managed by the legacy PingID admin console, such as PingID policy. ##### Early access to manage PingID out of PingOne New Strong Authentication PingID We've provided a limited number of existing customers with the ability to migrate the management of their PingID account to PingOne. To help administrators who are familiar with specific fields for specific features in the legacy PingID admin portal to find the equivalent fields in PingOne, in the legacy PingID admin portal for all relevant fields we've added a link to the equivalent field in PingOne. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | * For customers with early access, it is important to read [What you need to know before integrating or migrating a PingID account into a PingOne environment](../strong_authentication_mfa/p1_what_to_know_before_integrating_existing_pid_account_to_p1.html) before migrating your account. * Customers who want to join the early access track should contact their Ping Identity representative. | ##### Bypass MFA for a specific user New Strong Authentication PingOne MFA PingID It's now possible to bypass MFA for a specific user for a specific time period or for an unlimited time. When bypass is enabled, the user is able to access their account or application without authenticating using MFA. Learn more in [Bypass MFA for a specific user](../directory/p1_pid_bypass_mfa.html). ##### Documentation improvements Improved Strong Authentication PingOne MFA PingOne MFA documentation has been improved and is now included as part of a single section, *Strong authentication*. The new section includes a dedicated page for each authentication method, outlining the features of that authentication method, and various configuration options. It also indicates which authentication methods are supported by the use case (workforce, customer, or both), and includes details of requirements and limitations for each authentication method. Learn more in [Strong Authentication (MFA)](../strong_authentication_mfa/p1_strong_authentication_start.html). ## 2024 ### December 2024 #### December 16 ##### Device Authorization app restored to PingID policy Fixed STAGING-25145 PingOne For PingID accounts that are integrated with PingOne environments, we've fixed an issue in the legacy PingID admin portal that was preventing the Device Authorization app from showing in the PingID policy applications list. #### December 10 ##### Population alternative identifiers and theme New PingOne We've added the ability to configure **Alternative Identifiers** for **Populations**, making it easier to determine a user's population based on an identifier value in a DaVinci flow. Additionally, populations can now specify a **Theme**, making it easier to determine the preferred branding for a user when building authentication experiences in PingOne DaVinci. Learn more in [Managing populations](../directory/p1_manage_populations.html). ##### Add custom attributes from Workday into PingOne New PingOne You can add custom attributes from Workday into PingOne. Learn more in [integrations:p1\_create\_workday\_connection.adoc#p1\_workday\_system\_field](../integrations/p1_create_workday_connection.html#p1_workday_system_field), [Workday system Ids](../integrations/p1_create_workday_connection.html#p1_workday_system_ids), and [Syncing custom attributes from Workday into PingOne](../integrations/p1_create_workday_connection.html#p1_sync_workday_attribute). #### December 9 ##### Define the user presence timeout for FIDO devices Improved PingOne MFA You can now define a user presence timeout value for FIDO2 devices. The **User Presence Timeout** field defines the amount of time the user has to perform a user presence gesture with their FIDO device before the request expires. Learn more in [Adding a FIDO policy](../authentication/p1_creating_a_fido_policy.html). ### November 2024 #### November 20 ##### Added Active Directory compatibility to the Reset Password capability Improved PingOne The **Reset Password** capability in the DaVinci LDAP connector is now compatible with Active Directory. Learn more in [LDAP Connector](https://docs.pingidentity.com/connectors/ldap_connector.html#reset-password). #### November 19 ##### User demographic dashboard New PingOne The User demographic dashboard shows a summary of user demographic profiles and activity for the selected environment. Learn more in [User Demographics Dashboard](../monitoring/p1_user_demographic_dashboard.html). #### November 18 ##### Simplified OIDC application configuration and integration New PingOne We've enhanced the application configuration process for OpenID Connect (OIDC) applications. The new **Integrate** tab provides access to prefilled code examples, instructions, and sample apps for testing connections. Initial support is available for Node.js Express and the Ping SDK for JavaScript. Learn more in [Integrate PingOne with a Node.js Express app](../pingone_tutorials/p1_tutorial_integrate_nodejs_express_app.html) or [Integrate Ping SDK for JavaScript with PingOne](https://docs.pingidentity.com/sdks/latest/sdks/tutorials/javascript/pingone/index.html). #### November 14 ##### Manually approve a user's ID Improved PingOne Verify You can now manually approve a user's ID from the transaction log. Learn more in [Manually approving a user's ID](../identity_verification_using_pingone_verify/p1_verify_manually_approve_id.html). #### November 13 ##### Specifying authentication policy for SAML applications using `flowPolicyId` New PingOne PingOne now supports using the `flowPolicyId` HTTP request parameter to indicate the authentication policy for PingOne to use when authenticating users to a SAML application. You can include the `flowPolicyId` HTTP request parameter in the **Initiate Single Sign-On URL** to specify a PingOne authentication policy or a DaVinci flow policy. Learn more in [Editing an application - SAML](../applications/p1_edit_application_saml.html). ##### Amazon API Gateway integration kit retries for client network errors New PingOne Authorize We've released Amazon API Gateway integration kit version 1.3.0. This version includes a retry mechanism to improve the handling of client network errors caused by connection resets. Use the `maxRetries` setting in `config.js` to set the maximum number of retries you want before returning a failed response to the client. The default is `1`. Learn more in [Configuring Amazon API Gateway for PingOne Authorize integration](../authorization_using_pingone_authorize/p1az_configuring_amazon_for_p1az_integration.html). #### November 12 ##### Language localization New PingOne Verify Use language localization to configure one or more languages and modify text fields of PingOne Verify text that is presented to end users in notification and agreements. Learn more in [Configuring PingOne Verify language localization](../identity_verification_using_pingone_verify/p1_verify_language_localization.html). #### November 11 ##### Deletion of staging policies when promoting to production New PingOne Protect When you promote a staging policy to production, the staging policy will now be automatically deleted from your list of risk policies. You can no longer unlink PingOne Protect staging policies from a production policy. Learn more in [Creating and managing staging policies](../threat_protection_using_pingone_protect/p1_protect_creating_managing_staging_policies.html). #### November 6 ##### PingOne Protect (Signals) SDK - new versions New PingOne Protect SDK We've released new versions of the PingOne Protect (Signals) SDK: * iOS - 5.2.8 * Android - 5.1.5 * Web - 5.4.0 You can find details in the [SDK Changelog](https://developer.pingidentity.com/pingone-api/native-sdks/pingone-risk-sdks/protect_sdk_changelog.html). #### November 5 ##### Support for `offline_access` scope in OIDC applications New PingOne PingOne now supports the `offline_access` scope for OIDC-based applications. Add `offline_access` as an allowed scope to enable an application to use the Refresh Token grant type to access previously approved resources when the user is not present and on a per-request basis. This allows the application to drive the decision to request a refresh token based on whether or not it needs a refresh token. Learn more in [Editing an application](../applications/p1_editing_applications.html).